Practical digital self-defense

By Anna Farahmand & Michael Webber

Volume 2
May 2012

'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. — Bruce Schneier

© 2012 Anna farahmand - Micheal Webber The copy write belongs to the authors. ---No legal action will be entered into regarding the copying printing or sharing of this document in its unaltered form so …...........please copy upload and share the wisdom of this document.................. – No profiting from sales of this of this document will be tolerated. – (Micheal Webber)

Find more from Anna Farahmand and Michael Webber by Google them or here:

Preface Internet and its history How the Net Works Standards for connecting devices Standards for identifying devices on the network Domain names and IP addresses Protocols for sending information through the network The Web Connecting to the Internet Ports and Protocols The layered networking model Better Web Browsing and choosing a web browser Cookie Web Browsers: Firefox, IE, chrome, safari Firefox: Secure Web Browser, installation, configuration, add-ons and more … What is googlesharing and The problem with Google Anonymous Search Engines How to Use GoogleSharing Chrome add-ons Secure Connections HTTPS and connections authentication TLS and StartTLS How to use secure connections Limitations of secure connections Certificates Basic verification Complete verification Webmail PHP webmail clients: SquirrelMail vs. RoundCube webmail Securing your email Yahoo and Hotmail Anonymous E-mail sevices Riseup - Secure Email Service: create configure, spam, filter fishing and more … Email clients: Why would I use a mail client? Basic client configuration Mail client secure connections (IMAPS and POP3S) Thunderbird IMAP with Riseup account Offline IMAP Outlook Eudora Pine K-9 Mail for Android: complete instruction Message Security and concepts Limitations of Message Encryption 9 12 12 13 14 14 15 15 15 16 16 20 21 22 25 44 48 48 52 53 54 56 66 67 68 68 69 72 73 77 77 78 80 112 114 116 119 126 127 128 130 132 142 143

Social Network Map 144 The US maintains a social network map of everyone 144 History of mass transactional surveillance 144 Prior & after 9/11 144 Radical Servers list around the world 147 Advanced email security 157 Encrypted Email 158 Email Encryption with PGP 161 Apple Mail: create, manage accounts and complete configuration 162 Thunderbird: Download, install, use portable and create, manage accounts and complete Configuration and more... 168 Install Thunderbird on windows 172 Installing Thunderbird on Mac OS X 174 Installing Thunderbird on Ubuntu 176 Preparing a Gmail account for use with Thunderbird 193 Setup Thunderbird on Ubuntu for Riseup mail 197 Portable GPG for Thunderbird 199 Install Enigmail and Run the OpenPGP Setup Wizard 203 Using Enigmail with GnuPG in Thunderbird 204 Install Enigmail and GnuPG 205 Install Gpg4win 227 Create and Export an OpenPGP Public/Private Key pair 228 Installing PGP on Ubuntu 231 Creating your PGP keys on Ubuntu 232 Setup OpenPGP Rules in brief for Ubuntu 238 Using GNOME’s GUI frontend: Seahorse 240 Using PGP on Mac OS X 249 ANDROID: EMAIL SECURITY ON ANDROID 260 PGP ON ANDROID: APG 260 Daily PGP usage 261 Encrypting attachments 262 Receiving encrypted mails 263 Sending and receiving public keys 263 Using public key servers 268 Sending encrypted mails to an individual 273 Automating encryption to certain recipients 275 Verifying incoming emails 278 Revoking your PGP key-pair 279 Preparing for the worst: backup your keys 281 Webmail and PGP 283 Installing FireGPG and Working with it 283 VaultletSuite - Secure Email Client: install,creat account and make it configure 289 Evolution 336 Gmail Configuration in Evolution Mail Client 338 Secure Instant Messaging with OTR 342 Installing OTR 343

About Pidgin Portable Pidgin and OTR How to Create a Google Talk Account Secure pidgin for Linux Jabber Clients Using Riseup’s jabber service About Adium Other messenger clients IChat Adding Skype Contacts to Pidgin IM on Windows, Mac, or Linux Secure chat with Skype: cryptochat4skype Mobile Instant Messaging over Tor Mobile Phone Security Secure Text messaging TorChat: extremely strong anonymity with encryption: complete instruction JTorchat– obfsproxy:Ultimate secure chat based on obfsproxy Secure Your Network and bypass internet censorship How censorship works URL, DNS, Keyword and IP filtering Traffic shaping and Port blocking Internet shutdown Denial of service Gallery of national blockpages Circumvention and Safety Again HTTPS Examples of sites that offer HTTPS Simple Tricks to bypass censorship Use either very old or very new technology Web Proxies Installing Web Proxies Psiphon SabzProxy Proxy Settings of your browser and FoxyProxy Proxy Switcher to manage proxies on chrome Introduction to circumvention tools FreeGate Simurgh UltraSurf VPN Services VPN and secure connections Man-in-the-middle Attacks Popular free VPN services Commercial VPN Services VPN standards and encryption Set up your own VPN service OpenVPN

344 346 375 381 381 383 385 389 390 392 397 398 401 405 411 419 422 428 430 433 434 434 437 444 449 450 454 462 464 472 474 485 491 495 498 501 504 508 510 512 512 513 514 516 516 517

Tips for setting up OpenVPN An internet connection with personal VPN Personal Riseup VPN anonymizes your connection More about VPN standard Riseup VPN Setting up OpenVPN Riseup Certificate Authority VPN on Ubuntu Registering an AirVPN account OpenVPN on GNU/Linux VPN Servers VPNAutoconnect VPN on Android phones OpenVPN on Android Rooting Any Android Phone Install CyanogenMod 7.1 Setting VPN for Mac OpenVPN on Mac VPN on Windows OpenVPN on Windows Starting and stopping the RiseupVPN Setting up PPTP PPTP on Linux PPTP on Android Configuring PPTP for Mac OSX Configuring PPTP on Windows How to set up PPTP VPN on D-Link How to set up PPTP / L2TP on DD-WRT Hotspot Shield PacketiX.NET JanusVM ProXPN USAIP VPNReactor SecurityKiss UltraVPN CyberGhost VPN Your-Freedom Tor - The Onion Router For Digital Anonymity and Circumvention Anonymous blogging over the Tor network Vidalia xB Browser AdvTor Obfsproxy Tor Browser Bundle-Extreme Anonymity JonDo Test Your Anonymity

518 520 521 523 525 530 531 536 539 546 547 547 552 556 560 562 566 572 574 580 585 588 589 596 596 597 599 603 604 613 615 617 626 629 630 641 642 647 659 695 718 719 720 724 727 734

HTTP Proxies 735 SSH Tunnelling 750 KiTTY – Portable SSH Client for Windows 757 SOCKS Proxies 758 Risks of Operating a Proxy 768 Domains and DNS 770 Change your DNS settings in Ubuntu 772 Change your DNS settings in Windows 774 Edit your hosts file 778 Stop DNS leakage while using a VPN 784 Random MAC addresses 786 Researching and Documenting Censorship 790 Alkasir 792 Best Practices for Webmasters 800 Enabling remote access for others 804 Packet sniffing 816 Dealing with Port Blocking 816 File sharing technology 817 File hosting service 817 BitTorrent (protocol): P2P file sharing 820 Anonymous P2P technology-To Equalize power between governments and their people 826 Public P2P programs 831 Ants 832 Freenet 838 GNUnet 839 Marabunta 840 MUTE 841 Nodezilla 842 OFF System 843 Perfect dark 845 Rodi P2P 846 RShare 848 Share 850 SUMI 854 Winny 855 Private P2P programs 857 Alliance 857 NeoModus Direct Connect 858 GigaTribe 859 Gazzera 860 ExoSee 861 LogMeIn Hamachi 862 Hybrid Share 863 OnShare 864 Filenger 865 InterFace Messenger 865

P2P messanger Yeemp Friend-to-friend (F2F) network programs AnoNet: cooperative chaos Freenet Galet GNUnet Kerjodando OneSwarm RetroShare Turtle WASTE Anonymizing network layer I2P I2P vs. Tor: Bandwidth and Latency Comparison BlackBeltPrivacy-P2P darknet with WASTE and TOR Secure live systems Tails Liberté Linux Privatix Odebian Polippix Anonym.OS ISXUbuntu Phantomix Live CD DemocraKey Sabayon Amnesic Incognito ALPHA Anonymous Linux OS Samurai Telecomix NodeZero

866 866 867 867 867 869 869 870 872 873 874 876 878 879 881 881 885 886 922 930 938 939 953 954 956 958 959 959 960 960 961 963

Everybody has their own ideas of what security is, and indeed security is a very individual issue. Different people have different needs, and no one solution fits all. What works for someone else may not work for you. However, there are certain fundamentals that apply to all situations. Security is a process that protects you in some fashion, whether in the run up to, during or after the event(s) you are involved in. This means, that security is there to facilitate the smooth operation of your action, campaign, etc. and help keep everyone safe. There is always some risk; and security processes help you to reduce the risk to an acceptable level. It is up to you to define what the acceptable level of risk is and how best you can deal with it. Sometimes you just have to take a chance. But remember, Security is not a single thing; Security is a process and a state of mind. It has to be built into your life. Ideally, it becomes second nature; that is, you automatically go through the processes that keep you secure. This creates a mindset that helps you avoid errors of judgment you may regret later. There are objects and software that will aid your security, but simply having them is not security in itself; they need to be are part of an active security process. For example, there is no point having a bug scanner if you don’t use it on a regular basis. Likewise anti‐virus software will not protect your computer unless it updated regularly. There are many levels to security, but it needs to be built into your life/campaign/action right from the start. Picking it up half way through or after an action is generally too late. So, the most important lesson about security is the equation below: Security = Time + Effort Security requires you to be pro‐active and to put the effort in. And you need to be prepared for this. Once you have decided on the appropriate security process, there is no room for shortcuts. Shortcuts are gaping holes in your plan that end up compromising you. Yes, there are times when you are just too tired to encrypt all your sensitive files, but what is that one half hour compared to the prison sentence which may await you should you get raided the following morning? Finally, if you are part of a group, security is not just about yourself, but about everyone you are involved with. You can compromise them, and you do have a responsibility to them. This is the 21st century, the so-called Digital Age, an age where information is more public than it is private. The sheer growth of the Internet has led to privacy concerns for a great number of people. In the last few years, with the rapid growth of technology we have seen a number of threats to our privacy: data retention, DNA registers, tracking of mobile phones, CCTV, yellow dots generated by our printers etc.

The motivation for this is always very vague, e.g., ``If you have nothing to hide, you have nothing to fear''. But we all have something to hide. Not something illegal, but just some part of our life that we want to keep for ourselves. Or ``If it could prevent just one terrible crime, we believe it is worth it''. This reveals a dangerous attitude to privacy, because for any privacy reducing initiative, you can always come up with some hypothetical hideous crime that could be prevented. Better hypothetical questions are: ``If this invasion of privacy is causing just one more suicide, is it still worth it?'' and ``If this invasion of privacy results in a less open society with citizens not trusting their own government, is it still acceptable?'' As with computers the internet and the security/privacy issues related to it have changed dramatically over the years. Some things have remained the same, which boil down to that if you do not take care to obscure your tracks or encrypt your data then it remains open for a whole host of people to access. Monitoring internet activity is as trivial as it is with phones. All internet traffic, whether emails, instant messaging or web browsing involves sending data through various servers and at any point in between this can be picked up and read. Due to the nature of the network, every computer online has addresses (known as IP addresses), which even if they are temporary, can be combined with the logs of Internet Service Providers (ISPs) to identify people. In many countries, governments are requiring ISPs to keep logs of activity and emails for at least six months, so everything you are doing is not only being watched but recorded as well. The general-purpose Personal Computer and the Internet have been an enormous source of creativity and innovation. The general-purpose computer is threatened by the attempt to locking it down using Digital Restriction Management and Trusted Computing. The function of the Internet is threatened by restrictions put on ISP's e.g. DNS blocking of ThePirateBay. The basic message is that unless you are taking precautions, you need to assume that everything you watch and open is to being monitored. Computers are hi‐tech solutions that carry many risks as well. Make sure that you set your computer up right and spend time getting to know it. Modern computers are fast enough that most security measures will not impact on their performance, but remember that always worth it to spend money for your security. One important difference between digital, Internet-based communication techniques and more traditional methods is that the former often allow you to determine your own level of security. If you send emails, instant messages and VoIP conversations using insecure methods, they are almost certainly less private than letters or telephone calls. This is because of powerful computers that can automatically search through a large amount of digital information to identify senders, recipients and specific key words. Greater resources are required to carry out the same level of surveillance on traditional communication channels. However, if you take certain precautions, the opposite can be true. The flexibility of Internet communication tools and the strength of modern encryption can now provide a level of privacy that was once available only to national military and intelligence organizations.

We are entitled to our privacy in the real world so why not in the virtual one? There are many genuine reasons why people wish to stay anonymous on the Internet; ranging from simple paranoia, to hiding browsing activities from a spouse and averting your authority. So, we use a technical approach to securing privacy, and then use the technical results to support our views on the current invasion of privacy. This again enables us to reach a broader audience, debate the privacy issues, and put privacy on the political agenda. That’s why we are here to provide you with reviews on some of the methods you can take to achieve your own privacy/ anonymity.

Anna Farahmand May 2012

Internet and its history
Building the Internet The creators of the Internet generally believed that there is only one Internet, that it is global, and that it should allow any two computers anywhere in the world to communicate directly with one another, assuming the owners of both computers want this to happen. In a 1996 memo, Brian Carpenter, then chairman of the Internet Architecture Board, wrote: in very general terms, the [Internet engineering] community believes that the goal is connectivity ... [the] growth of the network seems to show that connectivity is its own reward, and is more valuable than any individual application. There is still a major community of Internet pioneers and early adopters who champion the ideals of worldwide interconnectivity, open standards, and free access to information, although these ideals often come into conflict with political and business interests and thus don't always directly influence the day-to-day operating practices and policies of individual parts of the Internet. The originators of the Internet also created and continue to create standards aimed to make it easier for others to also create their own networks, and to join them to each other. Understanding Internet standards helps make clear how the Internet works and how network sites and services become accessible or inaccessible.

How the Net Works Imagine a group of individuals who decide to share information on their computers by connecting them, and by sending information between these computers. Their efforts result in a set of devices able to communicate with each other via a computer network. Of course, the network can be even more valuable and useful if it is connected to other networks and hence to other computers and network users. This simple desire to connect and share information electronically is manifested today in the global Internet. As the Internet has grown rapidly, the complexity of its interconnections has also increased, and the Internet is literally built up from the interconnection of a tremendous number of networks. The fundamental task of the Internet can be described as facilitating the journey of digital information from its origin to its destination, using a suitable path and an appropriate mode of transportation. Local computer networks, called Local Area Networks, or LANs, physically connect a number of computers and other devices at the same physical location to one another. They can also

connect to other networks via devices called routers that manage the information flow between networks. Computers in a LAN can communicate with each other directly for purposes like sharing files and printers, or playing multi-player networked video games. A LAN could be useful even if it was not connected to the outside world, but it clearly becomes more useful when it is. The Internet today is a decentralized world-wide network of such local computer networks, as well as larger networks such as university and corporate networks, and the networks of hosting providers. The organizations that arrange these interconnections between networks are called Internet Service Providers or ISPs. An ISP's responsibility is to deliver data to the appropriate place, usually by forwarding the data to another router (called "the next hop") closer to the data's final destination. Often, the next hop actually belongs to a different ISP. In order to do this, the ISP may purchase its own Internet access from a larger ISP, such as a national provider. (Some countries have only a single national-level provider, perhaps government-operated or government-affiliated, while others have several, which might be competing private telecommunications firms.) National providers may similarly receive their connections from one of the multinational companies that maintain and operate the servers and connections that are often mentioned as the backbone of the Internet. The backbone is made up of major network equipment installations and global connections between them via fiber-optic cables and satellites. These connections enable communications between Internet users in different countries and continents. National and international providers connect to this backbone through routers sometimes known as gateways, which are connections that allow disparate networks to communicate with each other. These gateways, just like other routers, may be a point at which Internet traffic is monitored or controlled.

Standards for connecting devices Most LANs today are built with wired Ethernet or with wireless Ethernet (802.11 or Wi-Fi) technology. All of the interconnections (of LANs and other devices) that make up the Internet use common technical standards, or Internet protocols, to let computers find and communicate with to one another. Often, the interconnections use privately-owned equipment and facilities, and are operated on a for-profit basis. In some jurisdictions, Internet connections are extensively regulated by law. In others, there is little or no regulation. The most basic standard that unites all of the devices on the global Internet is called the Internet Protocol (IP).

Standards for identifying devices on the network When your computer connects to the Internet, it is normally assigned a numeric IP address. Like a postal address, the IP address uniquely identifies a single computer on the Internet. Unlike the postal address, however, an IP address (particularly for a personal computing device) is not necessarily permanently associated with a specific computer. So, when your computer disconnects from the Internet and reconnects at a later time, it may receive a different (unique) IP address. The IP protocol version currently in predominant use is IPv4. In the IPv4 protocol, an IP address is written as four numbers in the range 0-255, separated by dots (e.g.

Domain names and IP addresses All Internet servers, such as those which host Web sites, also have IP addresses. For example, the IP address of is Since remembering IP addresses is cumbersome and IP addresses might change over time, specific systems are in place to make it easier for you to reach your destination on the Internet. This system is the Domain Name System (DNS), where a set of computers are dedicated to serving your computer with the IP addresses associated with the human-memorable "names". For example, to access the Witness Web site you would type in the address, also known as a domain name, instead of Your computer then sends a message with this name to a DNS server. After the DNS server translates the domain name into an IP address, it shares that information with your computer. This system makes Web browsing and other Internet applications more human-friendly for humans, and computer-friendly for computers. Mathematically speaking, IPv4 allows for a pool of about 4.2 billion different computers to be connected to the Internet. There is also technology that lets multiple computers share a single IP address. Despite this, the pool of available addresses was more or less exhausted at the beginning of 2011. As a result, the IPv6 protocol has been devised, with a much larger repository of possible unique addresses. IPv6 addresses are much longer, and even harder to remember, than traditional IPv4 addresses. An example of an IPv6 address is: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 Although as of 2011 less than 1% of the Internet uses the IPv6 protocol, this will probably change dramatically in the near future.

Protocols for sending information through the network The information you exchange as you use the Internet could take many forms:
     

An e-mail to your cousin A picture or video of an event A database of contact information A file containing a set of instructions A document containing a report on a sensitive topic A computer program that teaches a skill.

There is a wide variety of Internet software to accommodate proper handling of the various forms of information according to specific protocols, such as:
     

e-mail via Simple Mail Transport Protocol (SMTP) instant messaging via Extensible Messaging and Presence Protocol (XMPP) file sharing via File Transfer Protocol (FTP), peer-to-peer file sharing via BitTorrent protocol Usenet news via Network News Transfer Protocol (NNTP) a combination of protocols: voice communication using Voice Over Internet Protocol (VoIP), Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP)

The Web Although many people use the terms "the Internet" and "the Web" interchangeably, actually the Web refers to just one way of communicating using the Internet. When you access the Web, you do so using software called a Web browser, such as Mozilla Firefox, Google Chrome, Opera, or Microsoft Internet Explorer. The protocol that the Web operates on is called the Hyper-Text Transfer Protocol or HTTP. You might also have heard of HTTPS, which is the secure version of HTTP that uses Transport Layer Security (TLS) encryption to protect your communications.

Following your information on the Internet - the journey Let's follow the example of visiting a Web site from your home computer.

Connecting to the Internet To connect your computer to the Internet, you may need some extra equipment, such as a modem or a router, to first connect to your ISP's network. Usually, end-user computers or home networks are connected with ISPs via one of several technologies:

     

telephone modem ("dial-up"), sending Internet data over telephone lines in the form of a telephone call DSL, a more efficient and higher-speed way to send data over telephone lines over short distances cable modem (or "cable Internet"), sending Internet data over a cable television company's coaxial cable fiber-optic cables, particularly in densely-populated areas of developed countries wide-area fixed wireless links, particularly in rural areas Data service over the mobile phone network.

Browse to the Web site 1. You type in The computer sends the domain name "" to a selected DNS server, which returns a message containing the IP address for the Tactical Tech Security in a Box Web server (currently, 2. The browser then sends a request for a connection to that IP address. 3. The request goes through a series of routers, each one forwarding a copy of the request to a router closer to the destination, until it reaches a router that finds the specific computer needed. 4. This computer sends information back to you, allowing your browser to send the full URL and receive the data to display the page. The message from the Web site to you travels through other devices (computers or routers). Each such device along a path can be referred to as a "hop"; the number of hops is the number of computers or routers your message comes in contact with along its way and is often between 5 and 30. Ports and Protocols In order to share data and resources, computers need to agree on conventions about how to format and communicate information. These conventions, which we call protocols, are sometimes compared to the grammar of human languages. The Internet is based on a series of such protocols. The layered networking model Internet protocols rely on other protocols. For example, when you use a Web browser to access a Web site, the browser relies on the HTTP or HTTPS protocol to communicate with the Web server. This communication, in turn, relies on other protocols. Suppose we are using HTTPS for a particular Web site to ensure that we access it securely. In the above example, the HTTPS protocol relies on the TLS protocol to perform encryption of the communications so that they are private and unmodified as they travel across the network.

The TLS protocol, in turn, relies on the TCP protocol to ensure that information is not accidentally lost or corrupted in transmission. Finally, TCP relies on the IP protocol to ensure that data is delivered to the intended destination. While using the encrypted HTTPS protocol, your computer still uses the unencrypted DNS protocol for retrieving an IP address for the domain name. The DNS protocol uses the UDP protocol to mark the request for proper routing to a DNS server, and UDP relies on IP for actual transmission of data to the intended destination. Because of this hierarchical protocol relationship, we often refer to network protocols as existing in a set of layers. A protocol at each layer is responsible for a particular aspect of the communications functionality.

Using Ports Computers connect to each other via the TCP protocol mentioned above and stay connected for a period of time to allow higher-level protocols to carry out their tasks. TCP uses a concept of numbered ports to manage these connections and distinguish connections from one another. The use of numbered ports also allows the computer to decide which particular software should handle a specific request or piece of data. (UDP also uses port numbers for this purpose.) The IANA (Internet Assigned Names Authority) assigns port numbers for various higher-level protocols used by application services. A few common examples of the standard assigned port numbers are:
    

20 and 21 - FTP (file transfer) 22 - SSH (secure shell remote access) 23 - Telnet (insecure remote access) 25 - SMTP (send e-mail) 53 - DNS (resolves a computer's name to an IP address)

         

80 - HTTP (normal Web browsing; also sometimes used for a proxy) 110 - POP3 (receive e-mail) 143 - IMAP (send/receive e-mail) 443 - HTTPS (secure Web connections) 993 - secure IMAP 995 - secure POP3 1080 - SOCKS proxy 1194 - OpenVPN 3128 - Squid proxy 8080 - Standard HTTP-style proxy

Using these particular numbers is not generally a technical requirement of the protocols; in fact, any sort of data could be sent over any port (and using non standard ports can be a useful circumvention technique). However, these assignments are used by default, for convenience. For example, your Web browser knows that if you access a Web site without specifying any port number, it should automatically try using port 80. Other kinds of software have similar defaults so that you can normally use Internet services without knowing or remembering the port numbers associated with the services you use.

Cryptography Cryptography is a form of technical defense against surveillance that uses sophisticated mathematical techniques to scramble communications, making them unintelligible to an eavesdropper. Cryptography can also prevent a network operator from modifying communications, or at least make such modifications detectable. It usually works like a tunnel from the software you are using, such as a Web browser, to the other end of the connection, such as a Web server. Modern cryptography is thought to be extremely difficult to defeat by technical means; widely available cryptographic software can give users very powerful privacy protection against eavesdropping. On the other hand, encryption can be circumvented by several means, including targeted malware, or in general through key-management and key-exchange problems, when users cannot or do not follow the procedures necessary to use cryptography securely. For example, cryptographic applications usually need a way to verify the identity of the person or computer at the other end of a network connection; otherwise, the communication could be vulnerable to a man-in-the-middle attack where an eavesdropper impersonates one's communication partner in order to intercept supposedly private communications. This identity verification is handled in different ways by different software, but skipping or bypassing the verification step can increase one's vulnerability to surveillance. Another surveillance technique is traffic analysis, where facts about a communication are used to infer something about its content, origin, destination, or meaning even if an eavesdropper is unable to understand the contents of the communication. Traffic analysis can be a very powerful technique and is very difficult to defend against; it is of particular concern for anonymity

systems, where traffic analysis techniques might help identify an anonymous party. Advanced anonymity systems like Tor contain some measures intended to reduce the effectiveness of traffic analysis, but might still be vulnerable to it depending on the capabilities of the eavesdropper.

Better Web Browsing and choosing a web browser
Currently, there are four major web browsers, Firefox, Chrome, IE, and Safari. All four have experienced major security flaws in the recent past, so you should make sure you are using the most up-to-date version, whichever one you choose. We strongly advise against using Internet Explorer (IE) prior to version 9. All four major browsers receive a failing grade in our Browser Privacy Scorecard.

Browser Privacy Scorecard
Rating the privacy features of web browsers from F to A+ The Scorecard Browser Cookie controls C some block-list control Third-party Cookies Flash Cookies Tracking Opt-out


D Enabled by default

F Can’t be C- Only supports “Do Not Track” blocked. header, disabled by default.

Internet Explorer


F- Microsoft engineers originally F Enabled by default, F Can’t be built awesome anti-tracking and sometimes sent blocked. technology into IE, and then their even when disabled. bosses made it totally useless. F Enabled by default, and sometimes sent unknown even when disabled. B Supports both the “Do Not Track” header and “Tracking Protection Lists”. (what is enabled by default?)

Internet unknown Explorer 9 A good block-list controls


D- Horrible anti-tracking support, F Enabled by default, F Can’t be only available as an optional and sometimes sent blocked. extension called Keep My Opteven when disabled. Outs. B+ Disabled by default, but sometimes sent even when disabled. F Can’t be F No anti-tracking feature. blocked.



Explanation of topics
Cookie control

Since some sites do require cookies and you may want to allow them for sites you trust, you do not want to just block all cookies, but allow them on a site-by-site basis. The browsers are evaluated here based on how well they allow the user to block untrusted sites (should be the default) and allow trusted sites (should be an easily modifiable list). Third-party Cookies Cookies are required whenever you login to a website (technically, you can create a login session without cookies, but not very securely). However, most all websites also transmit cookies from third parties that are used to track your clicks and behavior across many websites. There is no legitimate use for third party cookies — their only use is to keep you under surveillance. Third party cookies should be blocked by default in all browsers. Flash Cookies As more people block cookies, a huge number of websites have switched to tracking people by setting special cookies via the Adobe Flash plug-in. These cookies are even worse than third party cookies and are harder to get rid of. The newer browsers can be made to block flash cookies, but only in “private browsing” or “incognito” mode. Tracking Opt-out There are three methods of opting out of behavioral tracking:

Do Not Track HTTP header: The “Do Not Track” header tells websites that you don’t want to be tracked. It is a good idea, but is not supported yet by any advertisers, and my never be. Currently, Firefox 4 and Internet Explorer 9 have optional support for the Do Not Track header. Tracking Protection Lists: Browsers with “Tracking Protection Lists” allow you to subscribe to a list of companies that will be blocked. This is a great method, because it works today and allows you to effectively block almost all tracking. Support for Tracking Protection Lists is built into Internet Explorer 9 and can be added to Firefox and Chrome by using the Adblock Plus extension, Opt-out cookies: Opt-out cookies are a system pushed by the advertising industry. This method has many flaws, and has been shown by researchers to be only marginally respected by advertisers. Advertisers allow you to set special cookies to tell them you don’t want to be tracked. These cookies can be easily deleted, however. So some browser extensions will allow you to keep these cookies once set (as with Chrome) or to automatically set them (as with Beef TACO for Firefox).

Scorecard Notes


Tracking Opt-out: Announced in early 2011, Firefox will support an optional ability to tell a web site you want to “opt-out” of tracking. This opt-out is disabled by default and few websites support it. Technologically, Firefox is doing this the “right way” and the EFF has applauded Firefox’s move. However, we still give Firefox a failing grade because this blocking does not actually do much of anything currently and will only be effective if trackers are required by law to honor it, which seems extremely unlikely — especially since it is very difficult to enforce national privacy law on the global internet.

Internet Explorer

Tracking Opt-out: Originally, the engineers at Microsoft built the best anti-tracking technology in existence: The browser would automatically detect when your behavior was being tracked across different websites and would block this tracking. This was also enabled by default! Once the advertising executives got wind of this, a battle ensued within Microsoft. Eventually, the engineers lost and the advertisers won: Internet Explorer is distributed with this feature, but is only available while InPrivate browsing is on. This makes it useless, because it must be enabled manually for each browser window and doesn’t work with the normal browsing mode (this is important, because only in normal browsing mode do you have many handy features, like bookmarks, your history and form completion).

Internet Explorer 9 Version 9 of Internet Explorer is much better than all the previous versions.

Tracking Opt-out: IE9 was the first browser to support the Do Not Track header and Tracking Protection Lists.


Tracking Opt-out: Announced in early 2011, Chrome will allow users to set a special “opt-out” cookie that is recognized by members of Network Advertising Initiative. This method is nearly useless. One report found that the NAI cookie did not work consistently, ignored new ways of profiling and tracking, does not include a majority of industry groups, and lacks transparency. The report concludes that “the only success of the NAI

has been lulling regulators into thinking that self-regulation fairly and effectively addresses the interests of consumers who are the targets of behavioral advertising.”

Cookie tracking: the way that Chromium allows users to control cookies is fairly advanced. You can block all cookies and selectively (through a context-menu that pops up in the URL) enable certain domains as you see fit. You can also directly see which cookies are set for the site you are visiting in that dialog. Also, when you set your config to “ask first”, you get the confirmation dialogs one at a time instead of all at once as it is in Firefox. Safari
  

Third-party cookies: Safari wins as the only browser to disable third-party cookies by default. Other: Safari deserves bonus points for being the only browser immune to history harvesting. Tracking Opt-out: At this time, I don’t think there is any planned.

How to get an “A+” What would a browser need to do in order to score “A+” on the scorecard?
 

Third-Party Cookies: There is no legitimate use for third party cookies. They should always be blocked. Tracking Opt-out: The ideal would be… o enabled by default: At a minimum, the user should be presented with a choice the first time you use the browser. o do-not-track header: The browser should send the “do-not-track” header like Firefox, in case anyone ever actually honors it. o detected tracking: The browser can, and should, detect when tracking is happening and shut it down. You should not need to rely on the voluntary compliance of the tracker to honor your settings. This is what IE was going to do, until the executives killed it. o block lists: Allow the user to subscribe to lists of trackers that will get blocked. o on for normal browsing: tracking opt-out is useless if it is only enabled while in a special “Secure Browsing” mode.

However, these browsers can be made much better by installing extensions. Adjust your settings Setting you should adjust:
  

disable third party cookies clear cookies on exit set a master password

Use secure connections When your browser establishes secure connection to a website, all the data between you and the website are encrypted. You are using a secure connection if you see HTTPS in the location bar instead of HTTP.

Privacy enhancing extensions Although there is not yet a browser with good privacy capabilities, you can greatly improve your browser with a few add-ons.

Firefox with add-ons - Secure Web Browser
Homepage Computer Requirements

All Windows Versions Recommended add-on for Firefox 4.0.1 (now Firefox 8 is available)  NoScript  Adblock Plus 1.3.8  Better Privacy 1.5.1  Beef Taco 1.3.3  GoogleSharing 0.20  HTTPS Everywhere 0.9.6

GNU Linux, Mac OS and other Microsoft Windows Compatible Programs: The Mozilla Firefox browser is available for GNU Linux, Mac OS, Microsoft Windows and other operating systems. The secure management of web pages is absolutely vital, as they are most common source of malware infection. Therefore, we strongly recommend that you use Mozilla Firefox and the prescribed add-ons for this purpose. The security advantages available in Firefox, a cross-platform free and open source program are even more important when compared to its commercial equivalents like Internet Explorer. However, if you would prefer to use a program other than Mozilla Firefox, we recommend the following alternatives available for GNU Linux, Mac OS and Microsoft Windows:
 

Google Chrome : Opera :

Important: The overwhelming majority of malware and spyware infections originate from web pages. It is very important that you always consider whether it is safe to open given web address,

especially if you received it by email. Before you decide to open a page, we recommend that you scan the web address using the following page scanners:
   You can also check the reputation of a web site using the scanners listed below:

 

How to Install and Configure Firefox
About Firefox Firefox has many easy-to-use settings for protecting your privacy and security whenever you access the Internet. How frequently you may have to configure these settings depends on your particular situation:

If you are using your personal computer, and do not allow others to use it for browsing purposes, you need only configure these settings once. If you are in a public location or at work, you may have to repeatedly re-configure these settings for your own use. Note: You may also use a portable version of Firefox on a USB memory stick with you. This lets you configure Firefox according to your requirements, and you can use this version on any public computer.

How to Install Firefox Installing Firefox is a simple and straightforward process. To begin installing Firefox, perform the following steps: Step 1. Double click appear. If it does, click ; the Open File - Security Warning dialog box may to activate the Extracting progress status bar.

A few moments later, the The Welcome to the Firefox Setup Wizard window will appear. Step 2. Follow the steps in the guided installation process, and simply accept the default options and settings. Note: Do not change the default options and settings unless you know what you are doing and why you are doing so.

How to Configure the General pane options To begin configuring Firefox, perform the following steps: Step 1. Select Tools > Options... in the Firefox menu bar as follows:

The Tools menu with the Options item selected

This will activate the Options window as follows:

The Options window displaying the default General pane

Tip: Click

if the General pane is not automatically displayed as shown in Figure above.

The General pane lets you configure a few basic Firefox settings, among them your preferred home page and the location of your Downloads folder. The default setting for the When Firefox starts drop-down menu is Show my home page, and the default home page is the Mozilla Firefox Start Page. Tip: Click home page. to automatically set another page you know to be trustworthy as your

How to Configure the Privacy pane options The Privacy pane lets you manage privacy and security options for the browser.

Step 1. Click

to activate the following screen:

The Options window displaying the Privacy pane The Privacy pane is divided into two sections: The History section and the Location bar section.

The History section The History section lets you manage your Firefox browser 'history', that is, a list of all the different sites you have visited since you began using Firefox. The default Firefox will: option is Remember history and must be changed to protect your internet privacy and security. To eliminate traces of your browsing history, perform the following steps: Step 1. Activate the Firefox will: drop-down list and select the Never remember history item as shown in Figure above. Step 2. Click to activate the following screen:

The Clear All History window Step 3. Select all check-boxes and click data, and return to the Privacy pane.

to clear Firefox of all potentially revealing

The Location bar section The Location bar section uses addresses, cookies and other temporary data from bookmarked web sites, and the web history to prompt or suggest addresses in the Firefox Universal Resource Locator (URL) bar for your browsing convenience. The default When using the location bar, suggest: option is History and Bookmarks, and must be changed to protect your internet privacy and security. To eliminate traces of your browsing habits and history, perform the following steps: Step 1. Activate the When browsing, suggest drop-down list and then select the Nothing item as shown in Figure below and Figure above:

The Location bar displaying the Nothing item Step 2. Click to confirm your settings and exit the Options window.

Note: For a more secure and thorough approach to deleting temporary data, please refer to the section CCleaner.

How to Configure the Security pane options The Security pane is divided into two sections: the first deals with potentially threatening actions from external sources and the second, or Passwords section, with password management. Note: For more information on password storage, please refer to the chapter on KeePass. Step 1. Select Tools > Options... in the Firefox menu bar to activate the Options window, and then click the Security tab to activate the following screen:

The Options window displaying the Security pane Step 2. Accept the default settings in the first section.

The Passwords section The Passwords section lets you manage your passwords. The default Remember passwords for sites option is enabled the first time you install and run Firefox, and must be disabled to ensure your password privacy and security. Step 1. Click to disable the Remember passwords for sites option, and then click complete the configuration of the Security pane in the Options window. to

How to Configure the Advanced pane options The Advanced tab, as its name suggests, is designed with the Advanced or Experienced Firefox user in mind. However, users of all levels will benefit from enabling the following two options on the General tab.

The Warn me when websites try to redirect or reload the page option enables Firefox to prevent web sites from automatically redirecting you to another page, or reloading themselves without your consent or knowledge. The Tell web sites I do not want to be tracked option directs Firefox to request any web site you visit to not track your browsing habits. Although individual web sites are neither legally nor technically compelled to respect such requests, enabling this option reduces your exposure to potentially harmful advertisements online.

The Advanced pane options with the default General tab displayed Step 1. Enable checkbox Warn me when websites try to redirect or reload the page option as shown in Figure above. Step 2. Enable checkbox Tell web sites I do not want to be tracked option to enable it as shown in Figure above.

Step 3. Click

to apply these changes and exit the Advanced tab.

Congratulations! Firefox is now configured to browse the Internet in a private and secure manner.

How to Install Firefox Add-ons
About Mozilla Add-ons In the context of Mozilla products, an add-on is simply a lightweight software program which adds new features or extends existing functionality. As such, add-ons are sometimes referred to as extensions, and identified by the .xpi file name. For instance, the NoScript add-on file is noscript-2.0.7-fx+sm+fn.xpi. A plugin is essentially a piece of software usually designed by a third party to enable the use of their software within Firefox browser. An example of a common plugin would be the Flash plugin designed to display Adobe Flash content within the Firefox browser window. How to Install Mozilla Add-ons Downloading and installing Mozilla Add-ons is quick and simple. To begin downloading and installing different add-ons, perform the following steps: Step 1. Select Start > Mozilla Firefox or double-click the Firefox desktop icon to open Firefox. Step 2. Type into the Firefox address bar, and then press Enter to activate the Mozilla Add-ons for Firefox site. Step 3. Type the name of the add-on into the Mozilla search field (the Adblock Plus add-on is used in this example) as follows:

The Mozilla Firefox Add-ons Search bar displaying Adblock Plus Step 4. Either click or press Enter to display the following screen:

The Keyword Match pane displaying the search result Step 5. Click to activate the following screens:

The Add-on Search Results for Adblock Plus :: Add-ons for Firefox window

The Software Installation window associated with Adblock Plus Step 6. Click after it becomes enabled, to begin installing the add-on; after the installation has been completed, the following screen will appear:

The Add-on Search Results for Adblock Plus :: Add-ons for Firefox window Step 7. Click to complete the installation process.

Firefox will automatically re-start itself. Tip: Click to select the Not Now item if you prefer to re-start Firefox later.

Step 8. Select Add-ons item in the Tools menu in the Firefox menu bar, to activate the following screen:

The Tools menu with the Add-ons item selected

The Add-ons Manager tab displaying the newly installed Adblock Plus add-on

Important: Do not install add-ons from unknown sources. Instead, always install add-ons from the web site for improved security. How to Disable or Remove a Mozilla Add-on The Add-ons tab displays all installed add-ons as shown in Figure above. Any Mozilla add-on can be either temporarily disabled by clicking , or completely removed by clicking . However, in both instances, Firefox must be restarted for the changes to take effect. How to Update Mozilla Add-ons Every so often, the various add-ons designed for use must be updated to be compatible or current with the latest version of Firefox. Depending on the availability of your bandwith, you may choose to either update these add-ons automatically or manually. Step 1. Click to activate its associated menu, and then select Check for updates item to manually update your add-ons as shown in Figure below.

The Add-ons Manager update button displaying its associated drop-down list Step 2. Alternatively, select the Update Add-ons Automatically item to update your add-ons automatically as shown in Figure above. How to Update Mozilla Plugins Given that a few plugins may not automatically update themselves, users are strongly recommended to check for the latest updates of Mozilla Plugins. Important: It is absolutely essential that you search for updates on a monthly basis at minimum. Plugins are constantly being improved and upgraded to deal with all manner of evolving security problems. To manually check for updates of plugins, click to activate the following site: the following link

The Mozilla Firefox Plugins Check site Update all of the plugins that are not up to date by clicking on action button and following the instructions on the screen. To disable a plugin that you do not know or no longer require, perform the following steps: Step 1. Select Tools > Add-ons to activate the Add-ons Manager tab. Step 2. Click the Plugins tab to reveal a complete list of Mozilla Firefox plugins, identify the . plugin you would like to disable, and then click

How to Use the NoScript Add On

About NoScript

NoScript is a particularly useful Mozilla Add-on that can help protect your computer from malicious websites on the Internet. It operates by implementing a 'white list' of sites that you have determined as being acceptable, safe or trusted (like a home-banking site or an on-line journal). All other sites are considered potentially harmful and their functioning is restricted, until you have determined that the content of a particular site presents no harm; at this point, you may then add it to the white list. NoScript will automatically start blocking all banners, pop-up advertisements, JavaScript and related Java code, as well as other potentially harmful web site attributes. NoScript cannot differentiate between harmful content and content necessary to correctly display a web site. It is up to you to make exceptions for those sites with content that you think is safe.
How to Use NoScript

Before you begin using NoScript ensure that it was successfully installed by selecting Tools > Add-ons to activate the Add-ons window and confirm that it has been installed. Tip: Although NoScript might seem a little frustrating at first, (as the websites you have always visited may not display properly), you will immediately profit from the automated objectblocking feature. This will restrict pesky advertisements, pop-up messages and malicious code built (or hacked) into web pages. NoScript will run silently in the background until it detects the presence of JavaScript, Adobe Flash or other script-like content. At that point NoScript will block this content and status bar will appear on the bottom of the Firefox window as follows:

The NoScript status bar

The NoScript status bar displays information about which objects (for example, advertisements and pop-up messages) and scripts are currently prevented from executing themselves on your system. The following two figures are prime examples of NoScript at work: In Figure below, NoScript has successfully blocked an advertisement created in Adobe Flash Player on a commercial website.

An example of NoScript blocking a pop-up advertisement in a commercial site In following Figure, the Twitter web site notifies you that JavaScript must be enabled (at least temporarily) to view this web site.

The Twitter web site requesting that JavaScript be enabled Since NoScript does not differentiate between malicious and real code, certain key features and functions (for instance, a tool bar) may be missing. Some web pages present content, including script-like content, from more than one website. For example, a website like has three sources of scripts:

An example of the NoScript status bar Options menu

To unblock scripts in these situation, start by selecting the Temporarily Allow [website name] option (in this instance, it would be Temporarily allow However, if this does not allow you to view the page, you may determine, through a process of trial and error, the minimum number of websites you need to permit in order for you to view the content of your choice. For YouTube, you need only select the Temporarily allow and Temporarily allow options, in order for YouTube to work. Warning!: Under no circumstances should you ever select the following option: Allow Scripts Globally (dangerous). As far as possible, avoid selecting the Allow all from this page option. From time to time, you may have to permit all scripts; in this situation, ensure that you only do this for sites you really trust and on a temporary basis - that is, until the end of your on-line session. It only takes a single injection of malicious code to compromise your on-line privacy and safety.

About Clickjacking and Cross-Site Scripting (XXS) Attacks NoScript can be configured to defend your system against Cross-site scripting and clickjacking attacks. A cross-site script is a computer security vulnerability that permits hackers and other intruders to 'inject' harmful code into the existing web page. A clickjacking occurs for instance, when you click on a button that appears to perform one task, and a certain kind of embedded code or script may execute itself. Both attacks may happen without your knowledge unless you use NoScript.Every time a clickjacking attack is launched or under way, a window resembling the following will appear:

An example of a Potential Clickjacking / UI Redressing Attempt window Follow the instructions displayed in the window to neutralise the clickjacking attempt, and then click .

How to Use Adblock Plus

Adblock Plus is a content filtering extension designed to limit or restrict the ability of ads to display themselves. After Firefox has been restarted, and the Adblock Plus add-on has been successfully installed, the Add Adblock Plus filter subscription window appears: Step 1. Activate the Please choose a filter subscription drop-down list, and then select the option which corresponds to your language of use as follows:

The Add Adblock Plus filter subscription window with Fanboy's List selected Step 2. Click to add this subscription, and from now on, all advertisements described or listed in this filter will no longer appear.

How to Use Better Privacy

Better Privacy is a Mozilla Firefox add-on which helps to protect your system from a special cookies referred to as an LSO (Local Shared Objects) which may be placed on your computer by a Flash script. Those cookies are not removed by the standard Firefox cleaning procedure for cookies.

How to Use Beef Taco (Targeted Advertising Cookies Opt-Out)

Beef Taco is a Mozilla Firefox add-on which lets you manage cookies associated with advertising from a variety of companies, among them Google, Microsoft and Yahoo. It can be configured to delete cookies known as Targeted Advertising Cookies Opt-Out automatically. However, it also permits Experienced and Advanced users to specify in a more detailed way which cookies are permitted to reside on your system, and which to be eliminated.

How to Use HTTPS Everywhere

HTTPS Everywhere is a Mozilla Firefox extension that automatically enables a secure connection for websites that supports it. You always communicate with specified list of websites over an encrypted (https) channel. Although many websites do offer encryption, they tend default to an unencrypted http address.

The HTTPS Everywhere Preferences screen The HTTPS Everywhere extension fixes these problems by rewriting all your requests to these sites to the HTTPS protocol. It runs silently in the background, ensuring that your Internet sessions with those selected sites are safe and secure. Latest version from here:

What is googlesharing and why do I care?
Googlesharing is an easy-to-use, free and open source plug-in: for Firefox that anonymizes your Google searches. When you do a Google search, Google collects information about your identity by recording the web address where you are searching from and the content of your searches. Google probably knows more about your web searches than you do! Googlesharing works by sending all of your Google-related traffic that does not require a login (i.e. not Gmail) through a separate server, completely transparently (you don’t have to do anything). As a result, your online activity is aggregated with everyone else’s. For more detailed information about how it works and why it is important, check out the project website:

The problem with Google
Google is clueless Google’s motto of “don’t be evil” has been key to the company’s success. When it came on the scene, Google was unique as the only search engine that did not privilege search results from advertisers, a significant factor in Google’s rapid rise. Recently, CEO Eric Schmidt said: Google is “trying not to cross what we call the creepy line” when it comes to gathering personal data. Maybe Google’s new motto should be “don’t be creepy”. However, Eric Schmidt wasted no time in crossing the creepy line in December when he told an interviewer that, “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” In effect, the head of the corporation with the most surveillance data in the world has just announced that if you are “innocent” you should have nothing to hide. As many people have noted, Schmidt’s statement is hypocritical and disturbing. His logic is nearly identical to the totalitarian assertion that if you want free speech, maybe you shouldn’t be saying anything controversial. Eric Schmidt has gone so far as to suggest that anonymity is dead. At the Techonomy: conference in August 2010, he said, in reference to criminal and antisocial behavior, “The only way to manage this is true transparency and no anonymity:

php In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it.”

Google tracks your behavior Eric Schmidt’s comments are particularly troublesome in light of Google’s recent changes in policy. In March of 2009, Google reversed its long held policy against behavioral surveillance. Now, Google tracks the behavior of internet users (if you are signed into Google or not) in order to serve people more precisely targeted advertising. In February of 2010, the Washington Post revealed that Google again reversed existing policy by forging an information sharing partnership with the NSA (the super secretive electronic spying arm of the US government) in order to combat “cyberattacks”. Internet advertising market share as a percentage of total unique users:

(Source: )

Google is a multiplier of state power Eric Schmidt: “We are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities.” Dec 3 2009, CNBC: Chris Calabrese of the ACLU: “The private sector has become an enormous multiplier of the surveillance power of the state.”

Google now has a government request tool: that allows you to see what is government’s request. The US government has demanded information 3,500 times in six months:

Google’s privacy controls are a charade In both cases, we are told not to worry because Google will only be sharing data that has been anonymized (i.e. personally identifying information is removed). But there is plenty of cause for alarm. Recent research has shown how social media sites leak large amounts of personal information to their advertising partners and how exceptionally difficult it is to create a dataset that cannot be de-anonymized. In fact, the US defense department has a new initiative based exactly on this principle. Called ‘Digital DNA’, the goal is to develop a digital fingerprint database much like the databases of DNA stored by many national governments. The goal is precisely to identify particular individuals from data commonly thought to be anonymous—the tiny traces of digital footprints we leave behind whenever we use a computer. Despite all this, Google continues to assure its users that there is nothing to worry about. After all, if you have a lot of time on your hands, you can use the Google dashboard to adjust a complex array of privacy “self-care” settings. The problem is, the dashboard only applies to data directly tied to a Google account and it ignores all the many ways Google retains indirect and easily deanonymized data on you. For example, it does not let you remove the location data Google keeps on you every time you send an email to a Gmail user.

Google is dangerous An organization like Google is incompatible with a free society because it establishes the technological infrastructure for perfect social control. In effect, our freedom depends entirely on the benevolence of one organization. Unfortunately, Google is not very benevolent. Even while they lament the loss of privacy, they are actively profiting and promoting a surveillance society. Security expert Bruce Schneier wrote: Here’s the problem: The very companies whose CEOs eulogize privacy make their money by controlling vast amounts of their users’ information. Whether through targeted advertising, cross-selling or simply convincing their users to spend more time on their site and sign up their friends, more information shared in more ways, more publicly means more profits. This means these companies are motivated to continually ratchet down the privacy of their services, while at the same time pronouncing privacy erosions as inevitable and giving users the illusion of control:


Google Is Blocked In 25 Of The 100 Countries They Offer Products In (google blog posting about same)the problem with Google:

Notes “Google trying not to cross ‘the creepy line’” : 2 “Google CEO Eric Schmidt Dismisses the Importance of Privacy” 3 “My Reaction to Eric Schmidt” 4 “Privacy Groups Rip Google’s Targeted Advertising Plan” dvertising_plan.html 5 “Google to enlist NSA to help it ward off cyberattacks” 6 “Social networks make it easy for 3rd parties to identify you” 7 Mielikäinen, Taneli. 2004 “Privacy Problems with Anonymized Transaction Databases”. 8 Shmatikov, Vitaly and Arvind Narayanan. 2008. “Robust De-anonymization of Large Sparse Datasets (How To Break Anonymity of the Netflix Prize Dataset)”. 10 Shmatikov, Vitaly and Arvind Narayanan. 2009. “De-Anonymizing Social Networks”. 11

Anonymous Search Engines
Ixquick: is the world's most private search engine and earned the first European Privacy Seal. Logs are destroyed after 48 hours and there are no cookies. It has a builtin proxy function to allow you to visit the search results anonymously via one of the company's own secure proxies. This provides an additional layer of anonymity when used together with one of the anonymizers listed later such as Tor or VPN. Scroogle: is a simple anonymous search engine. NB As of February 2012 Scroogle no longer exists.

How to use Google services securely
 

googlesharing: a Firefox extension that routes your Google traffic through a secure proxy and anonymizes it. VPN: a service securely routes all your internet traffic through servers and strips out advertising and behavior tracking from your web browsing.

How to Use GoogleSharing

GoogleSharing is a unique anonymizing proxy system that jumbles up the assorted search requests of many different users together, so that Google is unable to determine which request is coming from whom. As such, GoogleSharing is able to prevent Google from collecting information about you from services which do not require any user name or password. By and large, non-Google specific traffic remains completely unaffected and does not re-direct it. After you have successfully installed GoogleSharing, it will display its associated button in the bottom right corner of the Firefox add-on bar as follows: GoogleSharing runs silently in the background without requiring any configuration of settings. As with many privacy and security options, there is a tradeoff between efficiency and speed, and increased privacy and security. If you are in situations where you require more speed, simply click the button to disable GoogleSharing quickly as follows:

How to set it up?
1. Click on this and get to the download page. 2. You may see a yellow bar appear at the top of your browser that says, “Firefox prevented this site ( from asking you to install software on your computer”, please click the Allow button to install.

3. Now you’ll see this window. Wait until the install button can be clicked, then click on


4. Restart firefox. You’re now using googlesharing!

Optional paranoia
For increased anonymity, the following is optional. Because your Google activity is being sent through the Googlesharing proxies, Google isn’t able to correlate your activity with you as an individual. Your requests go from your computer to the Googlesharing proxies, and then they send them to Google. That means your requests appear to Google as if they are originating from the Googlesharing proxies, not your computer. That is great! However, this also means that the Googlesharing proxies could now theoretically do what Google could do before, correlate your activities with you and your computer. You should ask: what information does Googlesharing keep on me? They assert that they keep no logs, so the answer is nothing. But how can you trust that is true? You can’t. You have to go on their reputation (which we believe is pretty strong in this area!) Riseup is running two of the proxies that are a part of the Googlesharing pool, so we can assure you that there are no logs being kept on the ones that we are running. However, we cannot assure you about the others that are a part of that pool, as we do not know who they are. If you’d like, you can specifically use Riseup’s googlesharing proxies only. That means your google-related traffic will be only routed through our servers. If you want to do this, follow these steps:
1. right-click on the “Google Sharing Enabled” text in the lower-right corner of your

browser and select options.

2. Click on “Add Proxy” 3. Type “” in the box and click ok.

4. Now click on the left column under ‘enabled’ to enable the riseup proxy. If you ever want to switch back to the default proxy, you can change it here.

5. Click ‘Ok’

Share me not Protecting against tracking from third-party social media buttons while still allowing you to use them. Download it from here

Chrome add-ons
adblock plus: uses subscription lists to block advertisements and behavioral tracking. Essential! click & clean: Deletes your browsing history, typed URLs, Flash cookies, all traces of your online activity to protect your privacy. From here KB SSL Enforcer: Enforces encryption for websites that support it. From here NOREF: Suppress Referrer (referer) for Hyperlinks from here disconnect: Stop third parties and search engines from tracking the webpages you go to and searches you do. From here Note: People, who live in countries that are blocked to use Google add-ons, should use VPN or proxy to access them. More Add-ons for your browser WOT: is an add-on that promotes 'safe browsing' and advises users which sites are considered 'safe' and which are 'not so safe' based on a ratings system. It uses traffic light colours to indicate the level of safety for a site; green is considered safe and trustworthy whereas red means not so safe and generally untrustworthy. With the program being so easy to use, any member of the family can use it, including children and the elderly. It's not just available for Firefox either, it's available for most of the major browsers including Google Chrome, Safari, Internet Explorer and Opera. Once you've installed the program, you'll become part of the WOT Internet community, and have the chance to rate websites. WOT helps you make informed choices about the websites you visit, and by avoiding untrustworthy and potentially 'dangerous' websites, you increase your level of anonymity. KeepVid: NB: Some websites need Javascript, Java or Flash to work properly. Verify whether you trust the website and be selective. CSLite: is an add-on that controls how your system deals with cookies. Cookies are small files which store information about you on your visit to a website. They are stored on your local computer. Obviously, we don't want lots of websites to store cookies on our computer, so this add-on allows you to manually allow cookies for websites that you trust. NB: Some websites need cookies to work properly. Verify whether you trust the website and be selective.

Secure Connections
What are secure connections? The Internet is an insecure network and as a result your connections over this network are not secure. The goal of secure connections is to provide a secure channel over this insecure network. These connections are done over encrypted protocols so that your data cannot be deciphered and you can be sure that the server you are talking to is the authentic and intended one. Without using secure connections, your internet traffic can be listened to by anyone who wants to eavesdrop on your email that you are sending and receiving, the contents of your web traffic, and worse they can easily obtain your login and password credentials, or impersonate our servers. Secure connections ensure reasonable protection from eavesdroppers and impersonators. HTTPS is the same protocol as HTTP, but wrapped inside a layer of strong encryption Your request consists of several things, potentially including:
   

the full URL of the page you are viewing, identifying information about your web browser, small pieces of data called cookies, The contents of any form fields you might have filled in.

The web server replies to your request with its own information, potentially including:
   

information about the page you requested, identifying information about the web server itself, more cookies, The contents of the page requested.

These communications (in both directions) are all visible to any computer along the way between your computer and the web server. If you included some information that you'd rather keep private (for example, if you typed your bank account number in a field of a web form), you might be upset that the intermediate machines can all snoop! Even worse, if your password is included in this information, the snooper could then use that password to take actions that only you should be allowed to take, such as updating your organization's web page, transferring money, making travel reservations, etc. So just using unencrypted, plain HTTP is dangerously insecure! If you are anonymously reporting unethical activity of your employer, you do not want your employer (who controls the network you are using) to see what you are doing, or to alter the contents of your complaint as it is in transit. If you are dealing with your bank, you don't want the other machines on the network to be able to get information about your accounts, much less to withdraw money from them. We need some sort of way to keep our communications private and secure.

This is exactly why we use HTTPS, the secure version of HTTP. This protocol can be identified by the fact that the URL in your browser's address bar begins with https://. It is also often indicated by the little lock icon in your browser.

"In an ideal world, every web request could be defaulted to HTTPS" For further security, you should consider verifying that the website you are visiting is the one you intend to visit. When using HTTPS, you are receiving a certificate from the server which is supposed to authenticate that this is the correct server. To verify that the site is the one you intend to visit, you should verify that the certificate that is presented is the correct one see certificates section to learn more. There are some issues with certificates that you should be aware of (see also limitations of secure connections).

Technical Architecture shapes Social Structure: an example from the real world When you use the Internet, most of your communications rely on many different computers cooperating with each other. The computers co-operate with each other because they have agreed beforehand on a PROTOCOL. Here I show you how choices in digital communications infrastructure can also have an effect on our social fabric by focusing on one small example out of many. I'll discuss here a protocol in common use on the internet today: TRANSPORT LAYER SECURITY (TLS) and its precursor, the SECURE SOCKETS LAYER (SSL). These are used (among other places) in secure World Wide Web connections. TLS, as it is currently implemented, fosters the concentration of power and money among certain groups while hampering the public's ability to engage in trust-worthy, secure communications.

How do we know who we're talking to? Near the little lock, many modern browsers will show you the name of the site you are connecting to. The first thing is to make sure that this is who you think it is. If you are about to send confidential information to your local credit union via their web page (e.g. ), you should be sure that the name near the lock is the name of your credit union. If the machine you are connecting to is something different (e.g.,

then all the cryptography in the world won't help you keep your information private, because you are sending it to the wrong folks! But if the name does match, there could still be problems: some nasty group could be intercepting your communications, and claiming to be the group you actually want to talk to. This isn't veering into paranoia here: the global network is very flexible; it relies on wide-scale co-operation; and the malicious actors are often tireless and conscienceless machines, not individual humans. So how does your browser know to show that lock, since anyone could claim to be anyone else?

Browser lock showing tooltip Because during the initial claim of identity, the web server presents a certificate which is cryptographically signed by “CERTIFICATE AUTHORITY (CA)” that your browser already knows about and trusts. On some modern web browsers, if you hover your mouse over the lock, a tool tip will pop up showing which CA signed off on the certificate presented by the web server. In the image here, you can see that the authority who signed this certificate is Equifax.

Who do you trust? Who said that Equifax is an authority who can verify that folks are who they say they are? As any good anarchist would ask, why should you trust this authority? At the moment, you trust them implicitly because your web browser comes pre-configured to trust them. Many modern browsers ship with 30 or more of these CAs trusted automatically. If any one of these authorities is compromised or malicious, they could create fake certificates with whatever name they want, which means that, with only a few other small modifications, they could intercept (and tamper with) communications you intend to be private and untamperable. Who are these authorities? Why are they included by default in our web browsers? Do they really do a good job in verifying identities before signing certificates? Do they have your best interests in mind? Do they share your political principles? If they received an unethical request from a corrupt governmental power or financial sponsor, would they comply, or would they resist? I don't have the answers to these questions about any particular CA. But I think that the current technical infrastructure gives them incentives to behave in untrustworthy ways. We have very little reason to think that these CAs have the average web user (or server administrator) in mind when they decide policy, which makes our implicit trust in them all the more unjustified.

Relevant Architecture Components What is it about the architecture of the Web that encourages this insecurity and lack of integrity? This requires a basic understanding of the underlying protocols used to create secure web connections. The Internet is a collection of co-operating machines, all passing messages to each other in various forms. Viewed from another angle, the Internet is also a collection of interacting protocols, which fit together in certain ways.

HTTPS is, at its root, HTTP (the common protocol by which web browsers talk to web servers) tunneled through TRANSPORT LAYER SECURITY, or TLS. TLS itself grew out of the SECURE SOCKETS LAYER, or SSL. TLS and SSL are generic protocols which define methods for encrypting a potentially lengthy bidirectional communications session. We call the side of the communications session that waits and listens for new connections the SERVER, and the side that actively initiates connections the CLIENT. In the case of HTTPS, your web browser acts as a TLS CLIENT.

About StartTLS
  

Better at preventing surveillance of social networks via email. Easy to use, you don’t have to think about it. Not good if you want to ensure a particular message was secure.

A normal email journey

A better email journey

An email journey with StartTLS

TLS (like many session-based protocols) begins with a handshake, which is used by the CLIENT and SERVER to establish their shared assumptions. You can think of this as two complete strangers on a phone call: they run through the languages they speak, in an attempt to find a common language in which they can communicate. Assuming both CLIENT and SERVER find that each other speaks some common form of TLS, the handshake continues with the SERVER offering the client a single certificate asserting the SERVER's identity.

X.509 v3 certificates The certificate presented is a combination of a cryptographic PUBLIC KEY with an identifying name of the subject (typically the name of the server), where the combination of these two things is signed by a CERTIFICATE AUTHORITY. The signature is a statement by the CERTIFICATE AUTHORITY that the PUBLIC KEY shown does in fact belong to the subject. You can think of these three parts of the certificate as a state driver's license. The certificate's public key is sort of like the driver's license ID number. The certificate's subject is the driver's name, photo, and other identifying characteristics. The certificate's signature is like the hologram on a state driver's license. The DMV plays the role of the CERTIFICATE AUTHORITY. Only the DMV can make that hologram, and by applying it over the ID number and the statistics, the DMV is saying that this particular driver has this particular ID number. The specific format of the certificate used in TLS is not a driver's license, of course. It is specified by the X.509 standard. X.509 covers a lot of different things, but for the purposes of this discussion, we're only interested in how it specifies the certificates used in TLS. In particular, I want to focus on two things: how the web server is identified, and how the signature is attached to the identity/public key combination. The server is identified by a long string of which only the bit after the last CN= is really inspected by your web browser. Here's an example subject from a real-world certificate: / Validated/OU=Go to SSL123 certificate/ The identity of the signer (aka the ISSUER) is also present in the certificate, and a single signature is allowed within the certificate. Your browser (or other TLS-capable client) takes the certificate, looks through its list of trusted CERTIFICATE AUTHORITIES for the signer. If it doesn't see the signer in that list, it treats the certificate as invalid. If the signer is present in the list of trusted CAs, your client uses information it already has about the signer to verify that the signature is in fact legitimate. There's an extra step that can be thrown in here sometimes called certificate chaining, where the server presents not only its own certificate, but also the certificate of its ISSUER, where the assumption is that the ISSUER's own certificate is signed by a CA that the client already trusts. But however the trust is followed, we end with one conclusion: the client must already know of and trust the ultimate signer of the certificate, and there can only be one ultimate signer for any certificate. If the client doesn't know of and trust that signer, they are merely guessing that the machine on the other end of the connection is the intended machine.

Concentration of Power, Financial Incentives, and Trust So again, the question is: who are these CERTIFICATE AUTHORITIES? What is their background? Who operates them? What are their political convictions?

How does a typical certificate authority stay afloat? The biggest CERTIFICATE AUTHORITY at the beginning of 2007 was VeriSign: with their purchase of Thawte: in 1999 and of GeoTrust: in 2006, they are by far the largest issuer of certificates to the general public (over 70% in aggregate, according to Netcraft). Verisign has a lot of other businesses, but it makes its CA money by selling certification to the entities requesting it. That is, if you decide to set up a new web site on a server named, and you want to provide secured web access via, you might begin by paying VeriSign for a certificate that identifies your server as Why should VeriSign certify you with this name? For one thing, because you're paying them to do so. But their responsibility as a CA should include more rigorous checking. And they do so — but just a little bit more — often relying on the DNS and e-mail (both forgeable systems) to be configured properly and securely. At any rate, the site operator is the one who foots the bill for the certificate, and the CA has little disincentive to turn down certification, since it would presumably mean they'd lose paying customers. If the CA were to engage in massive, wide-scale illegitimate certification, there's a possibility that browser vendors would drop them as a trusted root CA, but it would probably take a really large scandal, and it would likely take months (at least) for browser vendors to actively drop trust for the CA. This has never been done, as far as I know.

Who can be a CERTIFICATE AUTHORITY? The kicker in all of this is that Verisign and the other commercial CERTIFICATE AUTHORITIES aren't using any expensive hardware or software to issue certificates. Free tools like OpenSSL: or GnuTLS: form the technical basis of most CAs, and there are free graphical frontends (like TinyCA: ) which make running a CERTIFICATE AUTHORITY a relatively simple task. These tools can be run on bottom-of-the-barrel hardware, and being a CA doesn't even require a heavy-duty connection to the Internet. So if anyone can technically be a CA, how come people aren't doing it? For one thing, doing legitimate verification of identities is actually significant work. But the verification done by most CAs (including VeriSign) doesn't come close to this level of work, so that shouldn't be holding people back. It turns out the architecture of TLS itself discourages diversity.

Why does the architecture encourage concentration? Remember that a TLS (HTTPS) server can only offer a single certificate. For hassle-free, secure connections, the signer of that certificate must already be trusted by the client (web browser). As a site administrator, you need to decide who is going to sign your certificate. Most browsers out there already trust the big corporate CAs. If a new independent CA were to spring up, it won't be trusted by any of the browsers, which means connections using a certificate from the new CA would likely cause errors for your site's visitors. Since you can only choose one, you probably will go with the existing goliath, even if you feel no political affinity with them, and even if you resent paying money for their signature which could have been better used elsewhere. As an individual who uses the web, your browser already trusts the big corporate CAs. Most of the web sites you visit are probably run by administrators who have made the tradeoff above. Why should you ask your browser to trust a new CA, even if it's one you personally actually trust more? It can be a hassle to maintain a list of trusted authorities, and it seems especially fruitless when the new authority you've added isn't actually used by any site that you visit. So why bother? And you're certainly not going to tell your browser to stop trusting the big corporate CAs, because nearly every site you visit has certificates issued by one of them. What's worse, to make any change in the situation at all, there would need to be a massive break. The day that a site offers a new certificate signed by a new authority, every one of its visitors will see that cert, and will get errors if they don't already trust the new authority. The site administrator is pretty much guaranteed to cause problems for hir visitors by switching away from the mega-CAs. This seems like a no-win situation, but there are ways out.

Alternate Architectures The TLS architecture is the cause of this concentration of power, and changes to the architecture can permit or even encourage its dissolution.

What could change the incentives? As usual, we need to follow the money. One of the reasons the big CAs have little reason to provide real security via heavy-duty verification before certification is because they lack significant competition. Making it easier to start and run a separate CERTIFICATE AUTHORITY, while actually encouraging its adoption would be a good thing. If we were to modify the TLS protocol so that a server could offer multiple certificates at once, that would make it much easier to do a smooth transition away from un-trustworthy big CAs, because sites and users would no longer need the massive, disruptive transition that switching certificates would entail. One year, a web site could offer certificates from Verisign and a new,

politically-active CA, while explaining to their users the reason for switching away, and then the next year, the site could drop the VeriSign certificate entirely. An analogous change would be to enable multiple signatures on a single certificate. Recall that a single X.509 certificate contains a public key, a subject, and a signature binding the two together from a CA. There's no reason (in principle) that we couldn't declare a certificate as a public key, a subject, and a set of signatures, each from a different CA. It turns out that there is a proposal for this kind of alternate, multi-signature certificate (using the OPENPGP standard), which i'll talk about later. But why should you trust a lot of small CAs more than a handful of big ones? The answer is that you wouldn't (and shouldn't) trust all the small CAs. You might trust a handful of smaller CAs, who you have a personal relationship with. Or you could spread your trust out over a wider range, deciding that you don't give full trust to any single CA. Instead, you could require certification by any 3 of the 20 CAs that you trust marginally. Although CA might be compromised, but it would be a harder job to infiltrate 3 of them. If CAs are able to really compete on trustworthiness (which they can't right now because of the architecture), you could simply dismiss the CAs who are known to do a terrible job of verification, or who you don't trust for other reasons. For example why should you trust the CERTIFICATE AUTHORITY run by an oppressive government? Once it becomes easier to phase in trust of new, alternative CERTIFICATE AUTHORITIES, we need to think about which ones technologically-aware activists would want to support. I suggest that a full change in the funding model is needed. Instead of being paid for by the site owner, a new-model CERTIFICATE AUTHORITY could operate independently, funded by its members who, by joining, help shape policy about what sort of verification should be required to grant a certificate. With the ability to have multiple signatures, there's nothing stopping individuals from acting as their own CAs as well. Do you run your own web site? Certify it! Does your organization have a web site? You and your colleagues could each certify it. This sort of decentralization is healthy, fosters community networks, and can cut out the big corporate middlemen.

What else exists? EV Certificates The big corporate middlemen don't want to be cut out, of course. A plan is afoot from some of the larger CAs called EXTENDED VALIDATION (EV) Certificates: from what I can tell, this is simply the big CAs offering to actually do a serious level of identity verification — what they should have been doing all along! The bills for an EV cert, likely even heftier than usual, will probably continue to be paid by the sites requesting the certificates.

This does nothing to change the financial dynamics that make the system currently so untrustworthy. But it does relegate sites that can't pay the new larger fees to a second-class level of security, and it minimizes the number of entities considered officially capable of being an EVcert-granting CA, further consolidating the power of the few at the top. Another interesting player is CACert: . This is a group that has set up to operate in the fashion of a typical certificate authority, but has set up a sophisticated, clear system: explaining what it will take for them to grant you certification, based strictly on a network of trust built among their membership. This is a pretty good model, but it's a shame that they're the only one implementing anything like it. There should be multiple organizations with comparable models to this, so that each user could make her own decisions about who they actually trust. Another downside to CACert is the fact that their certificates are still issued only by one agency — the CACert CA. Even though they explicitly say they will only grant certificates according to their model, if their infrastructure is somehow compromised, it's possible for an attacker (or malicious employee) to issue certificates as CACert without following their published protocol.

Don't throw out the baby with the bathwater All of this might seem more complicated than it needs to be; it's worth asking whether we need any of this at all. I want to make it clear that we do need secure communications. As activists, politically-outspoken workers, anti-authoritarians, or simply people who want to preserve our right to dissent, we need to be able to communicate to each other without eavesdropping or — worse — interference or impersonation. As members of a capitalist society, we are also purchasers and vendors of goods and services, and monetary donors and recipients. We need those transactions to be handled safely, so that we don't have our financial backing usurped. More than just needing secure communications, we need secure communications without faceless, unaccountable, politically-fickle, mercenary gatekeepers. We need to take control of our own communications by taking responsibility for them.

Moving forward So where can we go from here on the specific problem of the stunted TLS architecture?

An alternate architecture exists! I mentioned earlier that there is an alternate proposal — OPENPGP Certificates instead of X.509 certificates — which allows multiple signatures per certificate. The proposal is designed to be implementable in parallel with existing X.509 certificates. However, it is not widely implemented or adopted yet. Most programs which use TLS do not actually implement their TLS functionality directly. Instead, they make use of software LIBRARIES, which are collections of code that can be used by many programs. At least one TLS library exists which can use OpenPGP certificates: the free GnuTLS library: has supported OPENPGP certificates in addition to X.509 certificates since at least the end of 2003. Tools (like web browsers) which use the GnuTLS library basically can get this extra feature without any extra work. However, the OpenSSL library: is by far the most widely-used free library, and it only includes support for X.509 certificates. Some developers are discussing adding OpenPGP support for OpenSSL: , but it's doubtful that anything will be ready in the near future. Tools which use OpenSSL are going to take a while to migrate to this new architecture. So what needs to happen? Web browsers (and other TLS-enabled clients) need to start working with the new architecture. Web servers (and other TLS-enabled servers) need to start working with it as well. One of the reasons to focus on Free Software is that we have an opportunity to contribute changes that we want to see. The big proprietary software makers may not share our agendas, or may actually be antagonistic.

Web Browser Buy-in Mozilla Firefox is probably the widest-distributed Free Browser today. In my version of it on my Debian operating system, it actually already uses the GnuTLS library, but I haven't reviewed the sources to see how it gets used (it could be used for library features unrelated to certificate verification). Furthermore, there is no clear way through the Firefox graphical interface to manage OpenPGP CAs, the way there is to manage X.509 CAs. So that needs work. Firefox is also the basis for the proprietary Netscape browser, so any fix to Firefox could have an effect there. Many other Free browsers also derive from Firefox, so a fix here would be a big win. Konqueror: is another leading Free browser with an effect on other tools (Macintosh's Safari: is based on Konqueror). It seems to use an SSL wrapper library (kssl) to talk to other libraries, but it appears to use OpenSSL exclusively

at the moment. A fix to kssl to allow it to talk to GnuTLS would actually enable OpenPGP certificates for all the software in the KDE suite. : Finally, a couple of text-mode browsers, elinks: and the venerable lynx: appears to use the GnuTLS library these days. Web Server Buy-in apache: is the flagship Free web server. While the standard way to make apache work with TLS is the OpenSSL libraries via mod_ssl: , a new module called mod_gnutls: aims to make apache work with GnuTLS. However, mod_gnutls is still in its infancy, and is not clear if it is able to support OpenPGP keys or not. Other web servers operate behind separate processes which handle all the TLS wrapping. These servers should be more easily switched to a library which supports OPENPGP. And gnutls-serv appears to offer itself as a rudimentary web server as well, if you needed a server to test browsers.

Next Steps What can you do yourself? Depending on how you use computers, there are different things you might want to do. If some of them seem confusing or you aren't sure how to start them, ask for help! There are web forums, mailing lists, and user groups filled with people who are interested in helping out. All users If you are a typical computer user these days, using standard tools, you can't switch to this new architecture all by yourself yet. But you can prepare yourself for a move to a more open, secure architecture in a number of ways:

Adopt free software, which are the most likely tools to move to this new architecture first. Start with your web browser: If you are not using Mozilla Firefox, Konqueror, or some other free browser as your primary web browser, try to make the switch. Learn about encryption by setting yourself up with some tools. You can actually run GPG (an implementation of the OPENPGP standard) freely on any modern operating system. There are graphical front-ends: and tutorials: available online which might help you get a feel for managing certificates, signatures, and alternate authorities.

When using your web browser with normal HTTPS connections, start checking who the issuer is, and thinking about the chains of trust explicitly.

Webmasters If you manage a website, and your site doesn't use HTTPS, consider offering it as an option so that your users can communicate with your site securely. For technical reasons, this will usually mean that you need your web site to have its own IP address. In the process of doing this, you'll also need to generate an X.509 certificate, as discussed here. You can either generate your own certificate (self-signed), get a commercial CERTIFICATE AUTHORITY to sign one for you, or you could ask for a cert from an alternate CA (such as Ask your system administrator if your web server is one of the few which supports OpenPGP certificates. If it does, generate and install one. If you're not sure how to do any of these steps, ask for help! System Administrators If you maintain a web server which offers HTTPS, consider offering support for OPENPGP certificates. If you administer an apache server, you might want to experiment with mod_gnutls where you would normally use mod_ssl. Programmers If you can read or write code, consider digging into one of the software packages above. If you see features that make sense but are not-yet ready for the public, test them and give feedback. If you see features that are needed but lacking, write up a proposal and pass it by the primary maintainer of the software, offering to implement it yourself if you think you can.

Who will be the new authorities? If we do shift to this new architecture, who will offer these new-style certificates? Initially, I imagine that VeriSign and any other very big commercial CAs won't do it, because of the threat to their business model. But smaller CAs might be convinced to offer this service as an add-on to their existing business. And now groups like MayFirst: can simply and easily sign on as additional certifying agencies. already offers OpenPGP signatures, so it could probably be used immediately as an initial authority. And most importantly, everyone who is aware and interested in these things can perform their own certifications, and publish them freely.

How to use secure connections
Web secure connections (HTTPS) Look up at the URL bar, where the address is. If it starts with “https://” (NOTE the ‘s’), then you have a secure connection, if it’s just “http://” (NO ‘s’), then you are not using a secure connection. You can change that “http” to “https” by clicking on the URL bar and adding the ‘s’ and then hit to load the page securely. A third and much less reliable way to tell is by looking for a little padlock icon. It will either appear in the URL location bar, or in the bottom corner of the window (the location is different depending on what browser you user), it should appear locked, if the lock doesn’t exist, or the lock picture looks like it is unlocked, you are not using a secure connection. You can hover your mouse over the padlock to get more information, and often clicking (or sometimes right-clicking) on the lock will bring up details about the SSL certificate used to secure the connection. Many webmail providers do not offer secure access, and others require that you enable it explicitly, either by setting a preference or by typing in the HTTPS manually. You should always make sure that your connection is secure before logging in, reading your email, or sending a message. You should also pay close attention if your browser suddenly begins to complain about invalid security certificates when attempting to access a secure webmail account. It could mean that someone is tampering with the communication between your computer and the server in order to intercept your messages. All Web addresses normally begin with the letters HTTP, as can be seen in the example below:

When you are visiting a secure website, its address will begin with HTTPS.

Limitations of secure connections
Now that you are using secure connections, everything is completely secure, right? Sadly, no! Secure connections just secure the transport of the data itself; they do not guarantee the confidentiality of particular data. For example, when sending email using secure connections, your mail is encrypted when being sent to and from secure mail servers, but there are still many more “hops” your mail makes over the internet when going from servers to the final mail recipient. Those hops are rarely encrypted, so there are many opportunities for someone to access your mail, both while it is “in transit” over the internet and when it is “at rest” on a mail server somewhere, or on the final recipient’s machine. Switching to secure connections is really only about making sure that your username and password are secure when you are logging into our servers. Security on the web revolves around HTTPS, and that involves determining if a particular certificate for a server should be considered “valid” by a web browser. The way this works right now is that a list of “trusted” Certificate Authorities is distributed by your browser. This sucks, because this requires you as a user to defer to some kind of central authority to validate your secure connection, why would you want to defer to some self-appointed authorities in order to participate in secure communications? So what else can you do to better secure your email communications? If you want full end-to-end security for your email you need to adopt the use of strong encryption software such as OpenPGP and get the people you communicate with to begin using that software as well. There is a Thunderbird plugin called Enigmail that allows easy integration of strong encryption into Thunderbird.

Verify Riseup’s certificate fingerprints
On the internet, a certificate is needed in order to verify the identity of people or computers. These certificates are also called SSL certificates or identity certificates. We will just call them “certificates” here In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether! All servers and all services allow or require secure connections. To be certain you are communicating securely with Riseup, read following instructions.

What are certificates? On the internet, a public key certificate: is needed in order to verify the identity of people or computers. These certificates are also called “SSL Certificates” or “Identity Certificates.” We will just call them “certificates” here. In particular, certificates are needed to establish secure connections. Without certificates, you would be able to ensure that no one else was listening, but you might be talking to the wrong computer altogether! All servers and all services allow or require secure connections. To make sure you are actually creating a secure connection with Riseup, you can follow the below steps to verify its certificates. This verification process is not required in order to use Riseup’s services. However, without verification, you cannot be certain you actually are connecting to that server and you cannot be certain that your connections are secure. How to verify Riseup’s certificates are valid To verify these fingerprints, you need to look at what your browser believes the fingerprints are for the certificates and compare them to what is listed below. If they are different, there is a problem. Be warned: a complete verification is difficult and requires an understanding of OpenPGP. When should I verify these fingerprints? You should verify these fingerprints whenever they change, or you are using a computer that you do not control (such as at an internet cafe, or a library).

Basic verification
First find the fingerprint of Riseup’s certificate in your browser. To do this in most browsers is by clicking on the lock icon (located at the bottom of the window or in the URL location bar) or the red and black star icon (often located in the URL location bar). This should bring up details about the certificate being used, including the fingerprint. If you compare the fingerprint you see there, with what you see below, then you have done some basic verification. If you are interested in doing a complete verification, then you will need to follow a more complicated technical process involving knowledge of OpenPGP.

Complete verification
Warning: this process is pretty technical; it requires familiarity with OpenPGP and the command-line. Import Riseup’s key First you need to open a terminal/shell, how you do this depends on your system. If you do not know how, please ask someone or search on the internet to find out how. The following instructions will demonstrate the commands you need to type in the terminal. The commands will be pre-pended with a ‘$’ character, which is used to indicate the command/shell prompt. This prompt indicates that the system is waiting for you to type in a command. In your shell, your prompt may look different, it could be a number of different things, if it is not a ‘$’ that is not a problem! Just use the command that follows this character in your shell. You need to import Riseup’s key from a keyserver: $ gpg --keyserver --recv-key 139A768E If you get an error about gpg not being found, you will need to install the gnupg program before you can continue. There is no particular reason that you should trust this key. You can see who has trusted it: $ gpg --list-sigs 139A768E

Verify these instructions Now that you have imported Riseup’s public key, you can verify that the fingerprints listed on this page are really from Copy this text: -----BEGIN PGP SIGNED MESSAGE----Hash: SHA512 As of May 16, 2011, the following are Riseup's fingerprints: SHA-1 fingerprint: df:de:63:9d:3d:8f:83:2f:f2:45:39:71:9e:d5:a1:0a:da:dc:5b:33 MD5 fingerprint: 30:00:a5:c9:70:c0:de:6c:a8:8d:18:69:c4:27:74:c1

-----BEGIN PGP SIGNATURE----Version: GnuPG v1.4.11 (GNU/Linux) iQIcBAEBCgAGBQJN2Uw7AAoJEDBD4rcTmnaOfXYQAI+UHBONQHrg5H5xMOk8R Rc/ D+Tj0yh7W5Prk4z8MBUd9I9GvVBSVdIXYKITG4iV2SBw7r+b5k/rjdEFNx/rgnCz urxLpckOzIYvrIyqJCDbdOKHzc/4z0fzyFNb9upGoKt0sjR7xixgVoa2kJpPrf7j H832bihlGx5iV8kj1wB3eC15LTi1kdnKZrUSdpRxIqV5aCP56LhpYXaeVbkLvFpn TxSZFMPhRlEA8e3jMRhqFOmUiUd3JK5mRKvSkqkd7benDAtBw3Pb1rU2Td7EYA4W H4PrvFOuI7xH8lEMm+UCufecCWhlwv1kvu2TrlJXW6ImkfjEURihvfB3agjpumbp JpQfTZp0BLaT+P+237Thh+R5Ng07PCk0HyjHsdOa0qKjIWg9+7mtugI8LYJuLQXp s+jANEuALTc0hdMlh8rmT/zrfDJRZtmNd8kCa2jwwR8XqHICwXkq68O/UIHHB+IV c2E88tJXV5dnNScesa5yEofWZUiYxu3pxH/2t0quUYmyiOKh3jILXQ5bD40AiIBK h5hSufG23+V5LAoCzMiuCgyzPlMrzX6W1gIQdpt2BisZonkXHbj2NemvJOUombLi fXgVo6kwIHk4j+4iykG4zkKRQVkJyYqwwAxg1YxPiRHFO+wWdERWm1ZY1bubIAi6 WSoAtK1CjvMwL2Cdianc =ru/p -----END PGP SIGNATURE----1. Then run this command: gpg --verify 2. Paste the text you copied 3. Type control-d 4. You should get output that says: gpg: Good signature from "Riseup Networks <>" You should make sure that it says “Good signature” in the output! If this text has been altered, then this information should not be trusted. Unless you have taken explicit steps to build a trust path to the Riseup Collective key, you will see a warning message similar to: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. However, you still should see the “Good signature”.

Compare the fingerprints Now that you verified that the above message contains the fingerprints for our certificate, you can compare this value to the value provided by your browser. You can get that value by either clicking on the lock icon in the URL bar, or by clicking our black and red star on the left side of the URL bar, then click “More Information” and then “View Certificate”, you should find the fingerprints there. Compare these with what you see above on this page. If the values match, and you trust the Riseup public PGP key, then you can be confident you are really communicating with servers when using an application that uses RiseupCA.pem.


Webmail (or Web-based e-mail) is used to describe two things. One use of the word is to describe a Webmail client: an email client implemented as a web application accessed via a web browser. The other use of the word is to describe a Web-based email service: an email service offered through a web site (a webmail provider) such as Gmail, Yahoo! Mail, Hotmail and AOL Mail; Practically every webmail provider offers email access using a webmail client, and many of them also offer email access by a desktop email client using standard email protocols, while many internet service providers provide a webmail client as part of the email service included in their internet service package. As with any web application, webmail's main advantage over the use of a desktop email client is the ability to send and receive email anywhere from a web browser. Its main disadvantage is the need to be connected to the internet while using it (Gmail offers offline use of its webmail client through the installation of Gears). On February 19, 2010, the development of Google Gears had stopped, as they are working on bringing all of the Gears capabilities into web standards like HTML5. There exist also other software tools to integrate parts of the webmail functionality into the OS (e.g. creating messages directly from third party applications via MAPI.) For more information of general and technical information for a number of webmail providers please refer to: Among webmail applications, the most popular are: SquirrelMail, Roundcube and Horde SquirrelMail is an Open Source project that provides both a fast web-based email application and an IMAP proxy server known as "imapproxy”: Roundcube's most prominent feature is the pervasive use of Ajax technology to present a more fluid and responsive user interface than that of traditional webmail clients. Ajax technology is under development for future SquirrelMail: If you are going to be using webmail to check your email, please don’t use Internet Explorer (IE). All the IE versions before 9.0 are pretty buggy and insecure.

PHP webmail clients: SquirrelMail vs. RoundCube webmail
To search and install a better webmail client for my Ubuntu + Apache server, I mainly tested two PHP open source webmail clients: SquirrelMail and RoundCube webmail. SquirrelMail SquirrelMail ( is a very basic webmail client. It was written in pure PHP with minimum JavaScript code. Its goal is to provide an email client that can be used in as many web browsers as possible. It does not have any fancy interface just plain basic functionality. However, it provide programming API that allows other people develop plugins to extend its functionality. Indeed there are a significant number of plugins available in its website. Figure 1 shows its user interface.

There are several advantages to using the web-based SquirrelMail rather than a local e-mail client like Outlook Express, or Outlook:

  

E-mail viruses are never automatically opened — In fact, no attachments are ever downloaded unless you click on the Download task... plus we scan all e-mail coming in to the server. Spam is DRASTICALLY reduced by server-side filters and applications like SpamAssassin. You can process your e-mail when you’re out of town or at work — just go to your Mail Home Page and log in to SquirrelMail with your username and password. You don't have to wait for messages to download — you have access to your e-mails while they are still on the Dr. Bill Bailey.NET server. Outlook Express and other e-mail clients download your e-mails from the server and put them on your computer. Spammers won’t be notified that you received their e-mail — many spam e-mails contain images that are linked to a domain (rather than attached to the e-mail.) When you view such an e-mail with most e-mail clients, you are contacting the linked server, potentially letting the sender know you opened it. SquirrelMail does not contact the sender unless you ask to. Save space on your computer — Leave all your e-mail on the Dr. Bill Bailey.NET server and download only the attachments you want. The mail is also backed up on our servers.

Avoid e-mail software problems — No worries about software updates, compatibility, security risks, or bugs. Many e-mail problems stem from downloading— messages contain too-large attachments, too many messages for the client to handle, or configuration problems. You can always get help on using SquirrelMail from within SquirrelMail... just click on the Help link at the top of your SquirrelMail screen, and then click the "Table of Contents" link for information on the kinds of things you can get help on from within SquirrelMail.

Also, you can actually use a local (PC based) e-mail client AND SquirrelMail, although you shouldn’t use both at the same time (that is, at the same MOMENT in time, a server security feature will temporarily lock your mailbox if you do.) Some people use SquirrelMail to check messages while at work, and then download them later at home with Outlook Express, or another POP3 local client. You could also use SquirrelMail to remove any unwanted or too-large e-mails if Outlook refuses to download them. Also, you can use Mozilla Thunderbird with the IMAP setup, and have the best of both worlds: local client e-mail that leaves the messages on the server, where you can still read, reply, and search them from the SquirrelMail Webmail client via your browser!

RoundCube webmail RoundCube Webmail ( is a modern webmail client that implemented by PHP and AJAX technology. By using reading panel, it does not require to refresh the screen when you walk through your mails. Its functionality is more easy to use and organized than the SquirrelMail. Its internalization is much better and easy than SquirrelMail has.

Installation Installation is significant step and duty. Developers should provide easy way to install their application. RoundCube Webmail team does a great job to optimize the installation process. In contrast, SquirrelMail requires a lot of hassle to install it completely. The stable version of SquirrelMail is 1.4.20 released on Mar 7, 2010. The downloaded package is 638KB in size (squirrelmail-1.4.20.tar.gz). The stable version of RoundCube is 0.3.1 released on Oct 31, 2009. The downloaded package is 1.8MB in size (roundcubemail-0.3.1.tar.gz). After the packages are downloaded, you can extend them into folder by the following Linux command: tar - xzf squirrelmail-1.4.20.tar.gz tar - xzf roundcubemail-0.3.1.tar.gz Follow the installation at to install RoundCube Webmail. This process involves database setup. I use MySQL server. I just followed the corresponding section to create new database and a user account for RoundCube Webmail. After I run the install script in web browser, I have to do some manual work to make RoundCube Webmail work seamlessly with my mail server. Since my mail server use secure connection, I have to manually edit the configure file (config/ to change the mail host to “ssl://localhost”. $rcmail_config['default_host'] = 'ssl://localhost'; Since sent, junk, and trash folders are located under “INBOX” in my mail server, I have to change the following folder locations manually. $rcmail_config['drafts_mbox'] = 'INBOX.Drafts'; $rcmail_config['junk_mbox'] = 'INBOX.Junk'; $rcmail_config['sent_mbox'] = 'INBOX.Sent'; $rcmail_config['trash_mbox'] = 'INBOX.Trash'; Follow the installation manual at to install SquirrelMail. The overall process to install RoundCube Webmail is easier and smoother than that of SquirrelMail installation. Address book RoundCube provide basic address book and easy to use. New address can be added to the address book by clicking a button after the email address in the mail review panel. In contrast, SquirrelMail does not provide essential address book function. You have to turn to a

plugin to do it. I downloaded and installed “Add Address” at The functionality is ok but not as good as the one RoundCube provides. Upgrade RoundCube Webmail save user data into the database and make the upgrade process easier. SquirrelMail stores user data into data files. The integrity of data files is hard to maintain and make the upgrade process little hard. Message filters SquirrelMail provide a useful function called Message Filters. You can create filters that distribute mails to different folders. RoundCube Webmail does not provide anything like that. Spam filters SquirrelMail has a very useful function. SPAM filters, that allows you to select from various DNS based blacklists to detect junk email in your INBOX and move it to another folder (like Trash or Junk). I did not found detail information about spam filters in RoundCube Webmail. It might include something but not configurable like SquirrelMail. There are multiple quality free and open source web browsers to choose from:
 

Firefox: Firefox is developed by the non-profit Mozilla Foundation. Chrome: Chrome is an open source browser developed primarily by Google.

For security reasons, we require cookies. Without cookies, it is impossible to make your login session secure. Cookies have a bad reputation because they allow advertisers to track you activity on the web, but for webmail cookies are great.

Securing your email
The Internet is an open network through which information typically travels in a readable format. If a normal email message is intercepted on the way to a recipient, its contents can be read quite easily. And, because the Internet is just one large, worldwide network that relies on intermediary computers to direct traffic, many different people may have the opportunity to intercept a message in this way. Your Internet Service Provider ISP is the first recipient of an email message as it begins its journey to the recipient. Similarly, the recipient's ISP is the last stop for your message before it is delivered. Unless you take certain precautions, your messages can be read or tampered with at either of these points, or anywhere in between. There is always some threat that you did not consider, be it a keylogger on your computer, a person listening at the door, a careless email correspondent or something else entirely. Yahoo and Hotmail, for instance, provide a secure connection while you log in, to protect your password, but your messages themselves are sent and received insecurely. In addition, Yahoo, Hotmail and some other free webmail providers insert the IP address of the computer you are using into all of the messages you send. Few webmail providers offer SSL access to your email. Gmail accounts, on the other hand, can be used entirely through a secure connection, as long as you login to your account from (with the HTTPS), rather than . In fact, you can now set a preference that tells Gmail always to use a secure connection. And, unlike Yahoo or Hotmail, Gmail avoids revealing your IP address to email recipients. However, it is not recommend that you rely entirely on Google for the confidentiality of your sensitive email communication. Google scans and records the content of its users' messages for a wide variety of purposes and has, in the past, conceded to the demands of governments that restrict digital freedom. If possible, you should create a new RiseUp email account by visiting RiseUp offers free email to activists around the world and takes great care to protect the information stored on their servers. They have long been a trusted resource for those in need of secure email solutions. And, unlike Google, they have very strict policies regarding their users' privacy and no commercial interests that might one day conflict with those policies. In order to create a new RiseUp account, however, you will need two 'invite codes.' These codes can be given out by anyone who already has a RiseUp account. If you have a bound copy of this booklet, you should have received your 'invite codes' along with it. Otherwise, you will need to find two [RiseUp]/glossary#RiseUp) users and ask them each to send you a code.

Both Gmail and RiseUp are more than just webmail providers. They can also be used with an email client, such as Mozilla Thunderbird. Ensuring that your email client makes an encrypted connection to your provider is just as important as accessing your webmail through HTTPS. If you use an email client, A the very least, however, you should be sure to enable SSL or encryption for both your incoming and outgoing mail servers. Regardless of what secure email tools you decide to use, keep in mind that every message has a sender and one or more recipients. You yourself are only part of the picture. Even if you access your email account securely, consider what precautions your contacts may or may not take when sending, reading and replying to messages. Try to learn where your contacts' email providers are located, as well. Naturally, some countries are more aggressive than others when it comes to email surveillance. To ensure private communication, you and your contacts should all use secure email services hosted in relatively safe countries. And, if you want to be certain that messages are not intercepted between your email server and a contact's email server, you might all choose to use accounts from the same provider. RiseUp is one good choice.

Anonymous E-mail
Anonymous E-mail: is a truly anonymous e-mail service which uses random remailers of the mixmaster remailer network. Unfortunately, you cannot receive replies and track the e-mail. It can take up to 12 hours for the recipient to receive the message. In order to ensure your anonymity is not compromised, consider using one of the programs listed above. Safe-mail: is a secure and anonymous e-mail service. You can define your own e-mail address with the domain. As a free user, you get a whopping 3 MB of storage, no downloads, no cookies and no ads. It also includes file storage, secure chat, photo storage, jotter, calender, your own secure messageboard, spam filters and virus protection. It works with most browsers and is compatiable with the following protocols: POP SMTP IMAP S/MIME PKI Finally, a few tips: If you set a password, don't forget it! It is impossible to retreive it from them. Try to use one of the programs listed above with this service to increase your anonymity.

10 Minute Mail: is a disposable e-mail service. This service is especially useful for signups and activations where you do not want to disclose your real e-mail address. This acts as a good spam prevention method. A random email is generated and is updated automatically when e-mails arrive. As the name suggests, the mailbox only lasts for time minutes until itself destructs. However, if you need to use the mailbox for a little bit longer, you can request another 10 minutes quite easily and repeat as many times as required. Highly anonymous as your mail is destroyed after 10 minutes. You cannot send e-mails using this service. Yopmail: is a disposable e-mail service. It is a little more sophisticated than 10 Minute Mail and allows you to define your own e-mail address or generate a random one. The accounts last for 8 days and then it expires. Again, useful for signups and activations where you do not want to disclose your real e-mail address. You can only send e-mails to other Yopmail users using this service.

HushMail : A Canadian-registered company, it is an easy-to-use, secure web-based email service that provides an additional layer of encryption for your messages. Being a web-based service, Hushmail can be accessed using your Web browser, and is compatible with all major operating platforms. Note that as with Gmail, RiseUp and other commercial and popular email services, all your encryption keys and messages reside on the Hushmail servers. It is technically possible for Hushmail to have access to your email communications. It's reliable, secure and completely anonymous. You can define your own e-mail address or generate one and can choose from one of the following domains;,,,, As a free user, you get a whopping 2 MB of storage! In order to keep using the service, you must login at least once every 3 weeks. Finally, a few tips: - If you set a password, don't forget it! It is impossible to retreive it from them. - Try to use one of the anonymizer programs (VPN, Tor …) with this service to increase your anonymity. - Choose a good encryption question and answer to increase anonymity.

Riseup - Secure Email Service
Riseup is a collective organization dedicated to providing private and secure email and hosting services for individuals and organizations committed to political and social justice. Homepage Computer Requirements
 

An Internet connection Riseup works best with the Firefox web browser

We offer the following points for consideration when choosing an email service: 1. Does it permit the use of encrypted channels (like https, and other SSL encrypted versions of protocols like IMAPs, POP3s, SMTPs) for transferring all information (including login-in information, and your emails), and are there no encryption-related problems (for example, problems related to encryption certificates)? 2. Are the email servers managed in secure way? Are they run by professionals who are committed to using the best practices for protecting your information? Do you trust them not to provide access to your information for any reasons (commercial, political, religious, etc.) to third parties? 3. Do you know the geographical location of the servers, under which territorial jurisdiction they fall or where the company is registered? Are you aware of how this information relates to the privacy and security of your email activity and information? In some parts of the world, Google Mail would prove a good alternative to Riseup, offering a better "blending in" effect, without compromising much of the security (given its commercial nature) Riseup is a collective dedicated to providing private and secure hosting, listing and mail services for individuals and organizations committed to political and social justice. Since their services are free, your email account is much smaller than at other, advertisement-driven and non-secure providers. A new account can only be registered by those who have received an invite code from existing members, or participants in our Digital Security Project. Riseup operates exclusively over the Secure Sockets Layer (SSL), providing a secure connection between your computer and their server. This security is maintained when reading

your email in a client program; over secure POP, IMAP and SMTP connections (these refer to special protocols used by a mail program to download your email). Riseup is compatible with Mozilla Thunderbird.

How to Create a Riseup Account
The Different Methods for Registering a Riseup Account Riseup offers you three different methods for registering an email account. Each method requires a different investment of effort and time. 1). Individuals and/or organizations are invited to join by two existing Riseup account members. This method requires that they each send you an invite code. 2). Directly request an account from the Riseup team themselves. Bear in mind that Riseup generally runs on donations and the enthusiasm and goodwill of its volunteers - and this method requires some patience and time. 3). Participants in our training sessions will receive individual invitation codes, distributed with the hard copy edition of the Security in a Box toolkit. After you have received your invite codes, perform the following steps to register your free Riseup account as follows: Step 1. Type into your web browser, to activate the Riseup site as follows:

The page Note: The s in the https:// address indicates that you are now communicating through a Secure Socket Layer (SSL) connection, and the message will appear above the login text fields.
Step 2. Click the “request account” to activate the Request account page as follows:

The RiseUp Request an email account page

Step 3. Click service page.

to display the Riseup Request an email account - About our email

Important: The following options must be enabled to proceed with further creating your Riseup account. Step 4. After you have read the different Riseup policies, click in the check boxes to enable the “I accept's social contract””, the I accept's privacy policy” and the” I accept's terms of service” Step 5. Click to begin creating your Riseup account by filling out the following online forms: Account information, Password, Mutual aid and Activation.

The Account information form Step 6. Enter a desired user name for your account. This will become your login and your email address. For example 'ssayyed' to generate an email account known as Important: Do not use commas, full stops or spaces, in the user name.

An example of a completed Account information form

Step 7. Click form.

once you have chosen a unique user name, and proceed to the Password

Note: If a similar user name already exists, you will be prompted to create a different one.

The Password form In the Password form, you must create both a security question and answer, and a strong password to protect your account; otherwise you will not be permitted to proceed any further in the account creation process. Riseup encourages you to create these in the event that you forget your password. However, this well-intentioned measure unfortunately also presents a security risk. For instance, your adversary may only have to correctly guess the answer, or intercept a new password being sent to you. We strongly recommend that you spoil the answer to your question, to remove any threat of someone guessing the answer to your secret question. This can be done by spoiling the two fields as shown in the example below:

An example of a question and spoiled response in the Password form

Warning: This also means that it will be virtually impossible to reset your password. You must remember your password! This is the most secure (if not the most convenient), option. The password for your RiseUp account is the most important factor in the security of your account. To learn how to create a strong password, please refer to KeePass.

The completed Password section in the Password form Step 8. Click to proceed to the mutual aid form.

The Mutual aid form RiseUp is completely dependent on the generosity and kindness of strangers in terms of donations and volunteers. Although their requests for financial support are legitimate and necessary, Riseup also encourages users to invest their money in their local social justice projects. It is entirely up to you to decide whether or not you, or your organization, could make a contribution here. Note: Your decision will not affect your account registration process in any way. You can still continue to create your free Riseup account.

The mutual aid form Step 9. Click to proceed to the Activation form.

The Activation form You are required to enter your invite codes in the Activation form. Step 10. Type the Invite codes into their respective text fields.

An example of a completed Activation form Step 11. Click to finish creating your Riseup account as follows:

An example of an account successfully created confirmation
Step 12. Click .

Congratulations! You have successfully created your RiseUp email account.

How to Log into Your RiseUp Account
To log into your RiseUp account, perform the following steps: Step 1. Open the RiseUp home page in SSL mode as follows:

The RiseUp mail login page The RiseUp mail page is divided into the login section on the left, and the News on the right. Note: You may use either of the two webmail systems presented, although IMP Webmail is more suited to non-English language interfaces. Step 2. Type your information into the User: and Password: text fields in either the Squirrel Webmail or IMP Webmail section; however, do not include the part of the address in the User: field.

Optional Step. Select your language of choice from the Language drop-down list in the IMP Webmail if necessary. Step 3. Click to display your account as follows:

An example of RiseUp Squirrel Webmail Account Optional step: If you are primarily writing and receiving email in a non-Latin character set, and then you may wish to specify this for the webmail account. Select Option from the top menu. The Squirrel Webmail options window appears as follows:

The SquirrelMail Options pane Step 4. Select to activate the Options - Display Preferences pane as follows:

The SquirrelMail Options - Display Preferences pane Step 5. Locate the Language drop-down menu, as displayed in figure above, and then select the appropriate character set for your email messages. This option will help with determining the correct encoding for the email messages you send and receive.

How to Use the Virtual Keyboard
If you are using a computer in public setting (an Internet café, community centre or library for instance), you can enter your password by using the Virtual Keyboard. It offers your system another layer of protection from key-logger programs. Key-logger programs are designed to monitor a user's physical key strokes to figure out passwords, user names and other vital information. Virtual keyboards allow users to circumvent this security vulnerability, by letting the user enter her/his password using the mouse. To use the RiseUp Virtual Keyboard, perform the following steps: Step 1. Open the RiseUp home page in SSL mode

Step 2. Click

to activate the RiseUp Login page as follows:

The RiseUp Login page Step 3. Click virtual keyboard to activate the Virtual Keyboard as follows:

The Virtual Keyboard Step 4. Click your mouse on the different keys (or just position the mouse pointer above given character for 2 seconds), that make up your password. Step 5. Click to access your RiseUp account.

How to Change Your Account Settings

RiseUp lets you modify different settings for your account. You can specify the size of your email box, change your account name and address, add aliases and much more. You can also create invite codes to help your friends and colleagues register their own RiseUp account. Step 1. Open the RiseUp Account Settings page as follows:

The page Step 2. Type in your user name and password into their corresponding text fields. Step 3. Click to activate the following screen:

The user control page

The My Settings page
The My Settings page displays all the information that you originally entered in before. There are some important things to consider before you change your username:

Your squirrelmail and IMP addressbooks will be lost. If you want to keep your addressbooks for these web based email interfaces, then you must do this:

1. export the addressebook to a file from within Squirrelmail or IMP. 2. change your username 3. import the file of addresses back into Squirrelmail or IMP.

After you have changed your username, you should probably add the old username as an alias for your account. This way, you won’t miss any email. If you are changing your username to avoid spam, however, then skip this step. Once your username is changed, use that new username to login at

Step 1. Click

to activate the following screen:

The Settings page You can change your user name on this screen, which will also change your email address. The new user name should also be unique. Here you may also change any other account details such as the alternative email, password and so on.

Step 2. Type in your new information, then click

to display this message:

Successfully updated your changes The Email settings page The Email settings page lets you modify or view information related to email storage. You can even set the 'quota' or amount of space reserved for your email account on a RiseUp server.

Step 1. Click

to activate the following screen:

The Email settings page Step 2. Enter an appropriate number into the Quota text field. Note: Your account is limited in size to a maximum of 47 megabytes. This is considered enough for important email communication. However, RiseUp may not be the optimal choice if you regularly send and receive email with large attachments or embedded graphics.

How do I create an alias? An alias is a different email address that is delivered to the same mailbox. So, you might have the Riseup account, but you are organizing an action, so you want a new address called You can create an alias! Here’s how 1. 2. 3. 4. Login to Click on email Type “” in the “Aliases” box Click “save”

Note that if someone else has the alias or username in use, you will not be able to create the alias. Try a different name! the main account will remain as before, people will be able to send email to your alias address as well.

The Aliases section of the Email settings page Example: account now has two aliases. Email sent to and will be forwarded to the main account. This maybe a useful practice to keep your real account address private. Step 4. Click to save your new aliases.

The Invites page
The Invites page lets you generate invite codes that are used to invite your friends and colleagues to join RiseUp. Important: Each new account needs an invite code from two different users. You may generate as many invite codes as you wish. Step 1. Click following screen: to activate the

The Invites page Step 2. Click to generate invite codes as follows:

An example of generated invite codes Note: Each invite code is valid for only for a month. Step 3. Click print invite to print out a copy of the invite codes and give them to the person wishing to create a RiseUp email account. Step 4. Click to log out of the user panel.

How can I delete my account? Simply follow these steps: 1. Login to 2. Click the button Destroy username (where username is your username) How do I change or delete my alternate email address? We would prefer not to store an alternate email address for you. However, the alternate email is currently the only way to reset a forgotten password. To change this: 1. Login to 2. Click My Settings 3. You can remove or change what is in the ‘Alternate Email’ field

What is email forwarding? If you would like all email that comes to your Riseup email address to be automatically sent somewhere else, this is an email forward! How do I forward my email to another address?
    

Login at Click on “email” Enter the address which you would like your Riseup mail forwarded to in the field marked “Forward” towards the bottom of the page Click on “Save Changes” Note: you may get a strange red exclamation mark at the top of the screen. this is a bug, but as long as your forwarding email address appears on the screen, your email is being forwarded.

What is an email alias? An alias is a different email address that is delivered to the same mailbox. So, you might have the Riseup account, but you are organizing an action, so you want a new address called Using aliases to prevent spam If you need to use an email address when you sign up on some site, instead of using your normal email address, you can create an alias and use that instead. That way you will know if that site

starts spamming you, and if you ever want it to stop, you can just destroy that alias, without it affecting your main email account.

Protect your password:
  

Never give your password to anyone, especially someone claiming to be Never trust that the “From” address of an email is from who it says, because this can be forged easily. Web links in email messages are often fraudulent. To be safe, you should retype the link rather than clicking on it. Also, be careful about misspellings, like instead of

Features: When you send email from to another secure email provider, the email is encrypted for its entire journey. When you send email with, your internet address (IP address) is not embedded in the email. With corporate email providers, anyone who receives your email can figure out your approximate physical location from the internet address included in the email. No log information will be recorded.
  

Trash: deleted after 21 days. Spam: deleted after 7 days. Sent: deleted after 120 days.

If you need more space, consider downloading your email using a mail client or and enter new quota amount 1. You can use SquirrelMail to see the size of each of your folders. Go to and login to SquirrelMail. 2. Click on the button Folder Sizes on the left (under the list of folders). This method only counts mail in folders that you are subscribed to in SquirrelMail; you can confirm that you are subscribed to all folders in SquirrelMail by clicking ‘Folders’ at the top, and looking at the ‘Unsubscribe/Subscribe’ field. If there any folders that you are not subscribed to, they will show up in the right column, and you can select them and hit ‘Subscribe’ to subscribe to them. Space in folders is often taken up by a few messages with large attachments. Within a folder, you can sort by size, to see which the largest messages are:

1. in SquirrelMail, open the folder you want to check 2. click on the box to the right of “Size” 3. This will display the largest messages first. You can then delete any large messages you no longer want. 4. you can click on the arrow to the right of “Size” to change whether it displays the largest first or last 5. when you are done, you likely want to click on the box to the right of “Date” to order by date 6. Messages in your Trash folder do not count toward your quota usage. Messages stored in your Spam folder, however, are counted against your quota.

Reset your account To reset your account, you must have an active alternate email set and can use the lost password form. Some mail clients do not recognize special characters and will not work. Customize your spam settings: By default, all your incoming mail is scanned for spam. However, you can improve its sensitivity and accuracy by customizing your spam settings. 1. 2. 3. Visit and login. Click on Email and then Spam settings. Click Enable custom spam settings.

Create a temporary disposable alias: A temporary alias is an email alias which you only use for a limited amount of time, and then destroy. This is useful if you need to give your email address to a corporation or you need to post it to a website. Once you start getting spam sent to that alias, just delete the alias. You can create aliases for your account by logging in at How fights spam Team of spam fighters has erected three layers of spam defense:

Realtime Block Lists: Realtime Block Lists (RBLs) are frequently updated lists of computers which are known to send spam. We use these lists to block email from those spammers. If you try to send an email to and it gets rejected because of an RBL, you will see a link in the rejection notice which will lead you to a website with details about the reason for the listing in an RBL. There are good RBLs and bad RBLs: we only use the most reputable ones. Spamassassin: Riseup uses spamassassin( ) to help fight spam. Spamassassin uses a complex set of algorithms to determine if incoming mail is spam.

Customizable Spam Filtering: Riseup mail allows you to customize the spam settings for your account. If the statistical filter is also turned on, it will learn and adapt over time based.

Riseup has deployed a number of tools to combat spam and sometimes a legitimate user’s email will be incorrectly identified as spam. First, let’s identify the problem. If your mail is being bounced by Riseup, servers will give a reason for the bounce. Look at the bounce message and compare it to our sample messages below. If you find a match, try the steps listed before contacting Riseup.


Host ( said: 550 5.7.1 Blocked by SpamAssassin (in reply to end of DATA command) There are a number of rules that Spamassassin uses to determine if incoming mail is spam. Check to see if the person sending you mail, or their ISP, can resolve the issue before you contact us to report this issue.

My mail server has “bad MX records” Connected to but sender was rejected. Remote host said: 554 5.7.1 Service unavailable; Sender address (EXAMPLE@EXAMPLE.NET) blocked using; Domain has demonstrably bogus MX records MX records define servers that are authorized to send mail. Some ISPs do not configure their DNS records correctly, and this leads to lots of problems. In fact, this is a common practice for spammers – so Riseup does not accept mail with bogus MX records. If the person who is sending you mail is receiving this error, please have them contact their ISP (or their IT department if it’s a business) and tell them to look at .

Why should I use’s outgoing mail server? There are many good reasons to use Riseup SMTP servers:
 

The SMTP provided by is over an encrypted connection. Most other SMTP services are insecure, where messages are sent in clear text. We do not include your home IP address in the headers of your outgoing mail. We know of only a couple other providers which do this.

 

Some ISPs will not let you send mail which has a from address different from their domain (for example, if you try to use AOL’s SMTP with any address other than an address it will fail). Some ISPs severely limit how many emails you can send. The SMTP service provided by is portable: it does not depend on what network you are connected to. You will always be able to use it even if you are moving your computer around.

Set your Outgoing mail server:

How many messages can I send? If you plan on sending thousands of messages using SMTP, you may need to ask first before it will work. Send mail to

Why can I only send mail to users? Then the problem is probably that you do not have your mail client configured to authenticate to the outgoing mail server.

Troubleshooting Web Mail Login The most common question is this: “why can’t I login?” Almost always, login problems are due to one of the following:
   

Your web browser is blocking cookies. You have typed your login or password incorrectly. Your web browser is old and does not correctly support JavaScript or encrypted connections. Mail server is down (although this rarely happens).

Try other web browsers If you still cannot login, you should next figure out if the problem is with your account or with your computer.

Try other computers and other web browsers. For this test to be helpful, the other computers and web browsers should be as different as possible. If you can, try to login from a different network, using a different browser, on a different operating system. I suggest you download and install firefox. If this works, then the problem is with your browser.

Check the server status It is possible that the server is down. You can view the status of the mail server, and read any service notices, at this page:

Email Scams
Viruses Everything you wanted to know about viruses but where afraid to ask Email based viruses affecting Microsoft Windows are running rampant on the internet. Here are the basic things you need to know about email viruses: What you absolutely must know
 

 

 

Viruses always fake the return address. Viruses will appear to come from people you know, yourself, system administrators, or other people you might trust. There are several very common viruses which pretend to come from “staff” (or the staff of whatever the mail domain happens to be). These viruses threaten to close your account unless you take immediate action by opening the attachment (and thereby infecting your computer). Don’t be fooled! Viruses always fake the return address. OK, Riseup just said that, but it bears repeating. If you receive a notice that a message you sent has a virus, you can almost always ignore this. Again, since viruses fake the return address, this entire means is that someone else is infected and is sending out viruses which appear to be from you. So how did the virus get your address? The virus infected a computer which has sent you mail or which you have sent mail to, or it has pulled your address from a web page somewhere. Do not open attachments from anyone, including people you know, unless you know specifically that they were going to send you an attachment. Riseup will NEVER send you any mail with an attachment.

Viruses and email lists

 

If a virus is sent to your private list, it does not mean there is a breach of security. It just means that someone who is infected has both the list address and the address of a list subscriber on their computer. Riseup filter mails and lists for viruses, but things will get through. Often, a virus will attempt to subscribe you to a mailing list. How does this happen? Let’s say you and a friend are on the same mailing list and then your friend’s computer is infected. The virus on your friend’s computer now has your address and the subscription address of the list ( Eventually, the virus will probably send a message to which appears to come from you. Then, the list software will send you a message asking you to confirm that you want to be subscribed.

Blocking virus email

 

If you are receiving a lot of viruses and have a email account, you can block most of them by enabling a spam filter. Go to your user control panel, then click ‘Spam filter’. Some mail clients, like Thunderbird (free software) have really good spam filtering built in and will do a good job blocking viruses. mail accounts and mailing lists should block all attachments which are executable. This does not always work, and some viruses come as executables within a zip file.

Removing viruses from infected computers

If you opened a suspicious attachment on a Microsoft Windows computer, your computer is probably infected. Riseup suggests you use the Free Software anti-virus program ClamWin. As an alternative, Grisoft also provides a no-cost version of their commercial anti-virus program. Mail accounts can’t get infected with a virus. It is your home computer which can get infected. If you are infected, you need to clean your home computer of the virus, but your email account is OK.

What is it? Phishing is when someone sends an email claiming to be an entity they are not, and uses this deception to get information. They can be after social security numbers, bank information, passwords, or other sensitive information. Emails often take the following form: From: To: Subject: Account Alert We need to verify your account details. Please reply to this message and enter your information the following spaces. If you do not reply, you may lose access to your account. username: _______ password: _______ If you see an email like this, do NOT reply to it.

How does it affect Riseup accounts?
Riseup accounts are a frequent target. Riseup emails will never ask for your password! If you get an email claiming to be from Riseup, and it asks for your password in the email, it is not from Riseup. If you get an email that asks you to click on a link and give your account information, make sure that the address bar at the top of the browser has “” as the domain. Examples: Good: (Only enter your password on a page with an address that looks like one of these)

Bad: (DON’T enter your password on a page with an address like this)

Filters and Spam Settings
A Word on Spam Many people ask, “why me god! Why do I get so much spam?” Well, you are not alone. Most of all email traffic these days is spam. A recent study has shown that over 95% of the email traffic on the internet is spam! Spammers have all kinds of tricky and evil methods of getting your email address, including scanning web pages, creating viruses to harvest addresses from your friend’s computer, and sending spam to random email addresses in the hopes that some will match. Most spam now comes from “zombie networks,” where the spammers use viruses to hijack a normal home or office computer for the purpose of sending massive amounts of spam. There are a couple things you can do to cut down on spam:

 

Create a Spam folder: If you have a folder called Spam, then any incoming mail that is suspected of being spam will get delivered directly to that folder. You should check the Spam folder periodically to make sure that the filter did not incorrectly classify a good message as spam. The folder must be named Spam and not spam. Create a temporary disposable alias: A temporary alias is an email alias which you only use for a limited amount of time, and then destroy. This is useful if you need to give your email address to a corporation or you need to post it to a website. Once you start getting spam sent to that alias, just delete the alias. You can create aliases for your account by logging in at Use a mail client: Most mail clients these days have some form of spam filtering built in. We suggest thunderbird. Change your email address: If you really want to cut down on spam, you can simply rename your account. The disadvantage is that then you need to notify everyone that your account changed, but this can be very effective at eliminating spam.

How do I block an email address? If you are receiving harassing email or spam and want to ensure that a particular email address is automatically deleted, you can follow these steps: 1. 2. 3. 4. 5. 6. Login to with your riseup username and password. Click on Email (on the left side of the screen). Click on the Mail Filters tab Click on Add filter Name the filter whatever you’d like, e.g. “Move to trash” Under the messages matching section, select From and Contains and then type the email address, e.g. “” 7. In the Will be placed in folder field type “Trash” (case sensitive- do not use “trash” or “TRASH” or it will not work). 8. Now click Save

You’re done! Any email from that address will automatically be moved to your trash folder. Note: If you want to add more email addresses that you want moved to the trash, you can just click on add condition follow steps 6-8 above – you don’t need to create a new filter. How do I automatically allow email to pass through my spam filter? If there is a particular email that always gets sorted into your spam box and you want to ensure that it does not happen in the future, follow these steps: 1. 2. 3. 4. Login to with your riseup username and password. Click on the Email (on the left side of the screen). Click on Spam Settings tab. If you have not already done so, click the button that says Enable Custom Spam Settings. 5. Now scroll down all the way to Allow List. Add the email address that you want to allow through your spam filter and click Save Changes. Can I set up an automatic out-of-office reply? No, Riseup does not support out-of-office replies. The most important reason why is because if you have auto-response enabled, you respond to spam email. Spammers thus have your email address as somebody who responds to spam, which makes your email more valuable to spammers, and thus you get spammed more. Also, they can be annoying. For example, if you are on any mailing list they can go out to the whole list. Riseup already has problems where we get blocked as spam by major providers, and having auto-replies coming from Riseup accounts could only increase that problem.

Pick a secure password Because passwords are almost always the weakest link in any security system where they are used, the first step to better security is better password practice. Things to avoid:
   

Don’t pick a dictionary word. Don’t use the same password. Don’t forget to change your password. Never tell anyone your password.

SMTP In order to send mail, you must have your SMTP settings correct. What is SMTP? SMTP stands for Simple Mail Transfer Protocol. It is how mail servers talk to each other to deliver mail. If you want to send any mail on the internet, you need an SMTP server. If you are using web mail, then all this is handled automatically for you, you don’t need to worry about what SMTP server to use. If you are using a mail client, you must enter a specific SMTP server as your ‘outgoing mail server’. How do I configure SMTP?’s outgoing mail service requires authentication and a secure connection (SSL or TLS) for security and anti-spam reasons. To use riseup as your outgoing mail server (SMTP), use these settings:
 

Outgoing mail server: your secure server or if you have an account there. Login or User Name: your login name. For example, if your email address was, your login is joe_hill. This is required. If you mail client does not support authenticated SMTP, you cannot use as your SMTP. Use secure connection: Always. This is required. If you mail client does not support secure SMTP, you cannot use as your SMTP. You might have the option of choosing either TLS or SSL for the secure connection. Both protocols work, but most ISPs will block port 25 (used by TLS), so we recommend that you choose SSL. Port: For TLS, the port should be 25. For SSL, the port should be 465. Again, port 25 is probably blocked by your internet provider, so you should probably choose SSL.

For details on setting up SMTP for different mail clients, see the email clients. What does Relay Access Denied mean? The error message “Relay Access Denied” is caused by one of the following problems: 1. You did not specify as the outgoing mail server. 2. You specified the wrong username. 3. You do not have your client configured to use authentication for the outgoing mail. This is required. 4. You do not have your client configured to use a secure connection (either TLS or SSL). This is required. 5. You enabled ‘secure passwords’. This is not actually any more secure, and is incompatible with

6. Riseup user database is offline. This happens on rare occasion, but it is usually back up quickly. The full text of the error message might look like this: The message could not be sent because one of the recipients was rejected by the server. The rejected e-mail address was ''. Subject 'test', Account: '', Server: '', Protocol: SMTP, Server Response: '554 Relay access denied', Port: 25, Secure (SSL): Yes, Server Error: 554, Error Number: 0x800CCC79 Why is my ISP blocking my outgoing mail? Increasingly, ISPs are blocking access to port 25, the standard port for sending outgoing mail. They do this because of the rise of zombie spam, where a personal computer is taken over by a virus and used as a spam engine for the virus writer. The solution is for you to use SSL instead of TLS (SSL uses port 465, which is usually not blocked).

When I try to send I get a SMTP error saying the server cannot be contacted, am I doomed? No, see the answer to the previous question. You cannot contact the SMTP server because your ISP is blocking your outgoing mail.

Downloading email
How do I download my email? Both webmail and IMAP mail clients leave your messages on the server until you specifically delete them. To free up quota but keep your messages, you need to copy your messages from a server-based folder to a local folder. Don’t worry if your quota is not updated right away: when you delete messages, your quota usage information is not updated until you receive more email. The process varies depending on the interface of you mail client.

If you are using Thunderbird follow these steps

In the left pane, you will see a heading for Local Folders. Anything stored under this section is stored on your computer and not on the server. To create a new local folder, choose the menu item File > New > Folder…. Choose to create your folder as a sub-folder of Local Folders. Go back to your Inbox. From there, highlight some or all of the messages in your Inbox. You can use the search function and then select all, or just manually choose a selection. Choose the menu item Messages > Move > Local Folders > Folder Name, where Folder Name is the name of the new folder you just created. Alternately, you can use the mouse to drag the selected messages to the new folder.

If you do not use Thunderbird, check your email client’s documentation for details.

Where are my folders? Why can’t you see some of your email folders? Are you using POP? When using POP, you will not be able to see the server-based folders which you see if you use IMAP or web mail.POP only has local folders which are stored on your local machine.

Are you using IMAP? If you are using IMAP and you cannot see your server-based folders, then you may need to “subscribe” to these folders in your mail client in order to see them. In Thunderbird you do this by right-clicking on the Inbox, and selecting ‘Subscribe’. In SquirrelMail, click ‘Folders’ at the top, and look at the ‘Unsubscribe/Subscribe’ field. If there any folders that you are not subscribed to, they will show up in the right column, and you can select them and hit ‘Subscribe’ to subscribe to them. Otherwise, consult your mail client’s documentation for how to do this.

Tips on responding to suspected email surveillance

If you suspect that someone is already monitoring your email, you may want to create a new account and keep the old one as a decoy. Remember, though, that any account with which you have exchanged email in the past may now be under surveillance as well. As a result, you should observe some additional precautions: Both you and your recent email contacts should create new accounts and connect to them only from locations, such as Internet cafes, that you have never used before. We recommend this strategy in order to prevent connections from your usual computer, which may be monitored, from giving away the location of your new account. As an alternative, if you must login to your new account from your normal location, you can use one of the tools to remain anonymous and bypass censorship on the Internet, to hide these connections.
 

Exchange information about these new email addresses only through secure channels, such as a face-to-face meetings, secure instant messages or encrypted VoIP conversations. See secure chat for skype Keep the traffic on your old account mostly unchanged, at least for a while. It should appear to the eavesdropper as if you are still using that account for sensitive communication. Presumably, you will want to avoid revealing critical information, but you should try not to make it obvious that you are doing so. As you can imagine, this may be somewhat challenging. Make it difficult to link your actual identity to your new account. Do not send email between the new account and your old accounts (or the accounts of any contacts whom you think may also be monitored). Be aware of what you write when using your new account. It is best to avoid using real names and addresses or phrases like 'human rights' or 'torture.' Develop an informal code system with your email contacts and change it periodically. Remember, email security is not just about having strong technical defenses. It is about paying attention to how you and your email contacts communicate with each other, and about remaining disciplined in your non-technical security habits.

Email clients
These days, most people are more familiar with web-based mail, where you check your mail using a web browser such as Firefox or Chrome. An email client is a computer program used to manage a user's email. Popular email clients include Microsoft Outlook, Pegasus Mail, Mozilla's Thunderbird, and Apple Inc.'s Mail. Each mail client offers with its special features. Here is a good article to compare them.

Platform Recommended Free Software Mail Clients Linux Mac Thunderbird, Evolution, Kmail, Balsa, Mutt, Pine Thunderbird

Other Commercial Clients

Apple Mail Microsoft Outlook, Eudora

Windows Thunderbird, Evolution Android K9

Why would I use a mail client?
There are many advantages to using a mail client rather than using web mail:

  

When using a mail client, you do not have to always be connected to the internet. Instead you can connect, download all your E-mail, disconnect, and read the emails when you want. This is very convenient if your connectivity is not reliable, is slow or maybe you have limited access. Also, you can compose E-mail anytime, save it, and send it later when you are connected to the internet. The web mail is rather limited. Mail clients have many more features. Mail clients are generally much faster than web mail. Most mail clients allow you to manage multiple accounts all from one place. This can be very useful if you are different email accounts for different parts of your life.

There are also some disadvantages:
 

To use a mail client, you must install software on your computer and configure it specially for your account (or accounts).some clients have portable version. Because mail clients store messages on your machine, other people can read your mail if they have access to your computer.

Can I use both web mail and a mail client?
Yes, you can switch back and forth easily. Often, people will use a mail client when at home or at work, and use the web-based email when traveling. If you do use both options, you should be familiar with the different between IMAP and POP.

Choose IMAP or POP
Mail clients can access your mailbox using either POP or IMAP. POP IMAP

Riseup Server. IMAP leaves all messages on Your computer. When using POP, you the server. Another way to think of this is Storage typically download all your mail to your that an IMAP mail client provides a view of computer and remove it from server. the existing data stored on the server. Low. POP only works well when you High. IMAP allows you to use many clients Mobility predominately check your mail from the and keep them in sync. same computer. Speed Faster, since everything is just downloaded once to your computer. Slower, since the mail client will query the server repeatedly.


You never need to worry about quota if your client is configured to delete You will have limited quota. messages on the server after downloading.

Basic client configuration
Although some mail clients are able to automatically configure themselves, most require some basic information in order to connect to your email account. Suppose your email address is
   

incoming mail server: outgoing mail server: login or user name: collective Use secure connection: yes (This is required. The secure connection may be of type SSL, TLS or StartTLS).

Note: Don’t enable secure passwords or secure authentication. These are somewhat of a misnomer. These methods of specifying passwords require that the email server keep a cleartext copy of your password. I would consider this a security risk, so I don’t enable “secure passwords”. Because the connection to is encrypted anyway, these are not needed.

General Instructions for configuring any mail client for use with your Riseup account but its basics can apply with other account with different server and setting

Generic POP
Suppose your address was
   

Incoming mail server: Login or User Name: mylogin Password: whatever your password is. Use secure connection: yes (not optional!).

Generic IMAP
Suppose your address was
   

Incoming mail server: Login or User Name: mylogin Password: whatever your password is. Use secure connection: yes (not optional!).

Generic Outgoing Mail (SMTP)’s outgoing mail service requires authentication and a secure connection (SSL or TLS) for security and anti-spam reasons. To use as your outgoing mail server (SMTP), use these settings:
 

Outgoing mail server: Login or User Name: your login. This is required. If you mail client does not support authenticated SMTP, you cannot use as your SMTP. Use secure connection: Always. If you have the option of choosing TLS or STARTTLS, then do so. Otherwise, use SSL. This is required. If you mail client does not support secure SMTP, you cannot use as your SMTP. Port: For TLS, the port should be 587. For SSL, the port should be 465. Typically, you can use the default.

Things to watch out for
If you have problems with secure connections, check certificates. Do not enable secure passwords or secure authentication. If enabled, you will not be able to check your mail. This option does not make anything more secure since you are already using a secure connection. To see your server based folders, you may need to set a folder prefix. The value should either be blank, “INBOX” or “INBOX.”, depending on your particular mail client. Leaving it blank usually works best. Outbox folder: if you create a folder called ‘Outbox’, any message which you save in it will get mailed out. So be careful!

Mail client secure connections (IMAPS and POP3S)
Mail clients pick up their email and send email through insecure protocols, unless you configure them to do otherwise. This means that anyone looking at your network data can see all of your mail that is transferred, as well as (and this is the especially bad part) the username and password used to log into your email account. As you have heard us say over and over again, it’s bad to share your username and password with anyone – Riseup will never ask you for it! By using secure POP/IMAP & SMTP you are creating an encrypted connection between your computer and Riseup’s computers for your mail (and passwords) to travel on. This makes it harder for eavesdroppers to read your mail or “sniff” your password off the network. Why should I use secure connections for my email? The secure versions of these protocols provide a way for you to log into Riseup’s mail server without revealing your username and password to everyone listening on the internet. This is very important to Riseup both because we care about your security and privacy! 1. Inter-mail server secure connections (STARTTLS)

Mail client secure connections To get your mail client to use secure connections, you have to make some configuration changes. Don’t worry! We’ll talk about it.

General procedure First of all, what is a mail client? A mail client is a specialized program designed specifically for checking and composing email. This might be Thunderbird, Apple Mail, Outlook, Eudora, etc. Whichever one you use is your mail client. In general terms, you need to navigate the configuration settings for your mail program and make sure that it is set to use SSL, TLS or STARTTLS on all connections (POP or IMAP & SMTP), and also make sure that you are using the correct port. If you understand how to do this, see the FAQ below for a listing of ports to use. The specific procedure to do this is going to be a very different for each mail client, and sometimes is even quite different for different versions of the same software.

If you aren’t using Mozilla Thunderbird, we would like you to consider switching to it. It is a reasonably secure, easy to use, free software project that is easier for us to support. There is no harm in giving it a try! Our instructions for setting up Thunderbird are really good. Thunderbird procedure To make the required changes in Thunderbird, follow these steps: First, find out what version of Thunderbird you have by clicking the “Help” menu —> “About Thunderbird” Specific Procedure for Thunderbird 3.x series with Riseup server To make the changes needed to enable secure connections in Thunderbird version 3.x, please follow these steps:
         

        

Choose “Account Settings” from the “Edit” menu, Select “Server Settings” for your Riseup account after the account settings dialog box pops up In the center of the box you’ll see a heading that reads “Security Settings” Under that heading is a drop down labeled “Connection Security” That drop down should be set to read SSL/TLS In the upper-left corner of the dialog box there is a setting that reads “Port” This should automatically be set, but check it to be sure Port number should be 993 if you are using IMAP Port number should be 995 is you are using POP There is a “Server Type” line at the top of the “Server Settings” dialog box that tells you if you are using IMAP or POP Next click “Outgoing server (SMTP)” in the left-hand pane Click once on Riseup’s SMTP server in the right-hand pane Click “Edit” on the far right of the dialog box Set “Connection Security” to SSL/TLS Make sure the “Port” setting is set to 465 Click “OK” Click “OK” again At no point in time should you change the “Authentication Method” setting – it should always say “Normal Password” Your work here is done!!! Yay!

Specific Procedure for Thunderbird 2.x series (consider upgrading to 3.x!) with Riseup
         

       

Choose “Account Settings” from the “Tools” menu Select “Server Settings” for your Riseup account after the account settings dialog box pops up In the center of the box you’ll see a heading that reads “Security Settings” Choose “SSL” DO NOT check the box that says “Use Secure Authentication” In the upper-left corner of the dialog box there is a setting that reads “Port” This should automatically be set, but check it to be sure Port number should be 993 if using IMAP Port number should be 995 is using POP There is a “Server Type” line at the top of the “Server Settings” dialog box that tells you if you are using IMAP or POP Next click “Outgoing server (SMTP)” in the left-hand pane Click once on Riseup’s SMTP server in the right-hand pane Click “Edit” on the far right of the dialog box Set “Use Secure Connection” to “SSL” Make sure the “Port” setting is set to 465 Click “OK” Click “OK” again Your work here is done!!! Yay!

Q: What is POP/IMAP & SMTP? A: POP and IMAP are common protocols that are used by software to retrieve mail from a remote mail server. Usually you will use one or the other of them, but not both at the same time. SMTP is another common mail transfer protocol, but this one is used to send mail from your computer to the mail server. Q: If I’m configuring my mail software myself, what port numbers should I use? A: For POP connections using SSL or TLS, use port number 995. For POP connections using STARTTLS use port number 110. For IMAP connections using SSL or TLS use port number 993. For IMAP connections using STARTTLS use port number 143. For SMTP connections using SSL or TLS use port number 465. For SMTP connections using STARTTLS use port number 25.

Thunderbird IMAP with Riseup account
NOTE you need to enable secure connections before you can use Riseup mail. The first time you run Thunderbird, it will run through a wizard and ask you some settings questions, it will by default set you up with an unencrypted connection and then immediately try to check your email in an insecure way!. After you finish the wizard, do not type in your password when the server asks you for it, instead click cancel Before you can continue, you will need to setup the encrypted connection settings, to do that make sure you follow through and configure your imap account. See also Thunderbird section for more information about how to install and using it with PGP

Adding a New IMAP Account
Start the Account Wizard The first time you run Thunderbird, the account wizard will walk you through setting up an account. When the wizard runs, it will set you up with an unencrypted configuration to Riseup! This is bad, and you absolutely need to change this configuration before you continue. Riseup will not work with unencrypted connections! Once you have followed the instructions below, be sure to setup the encrypted connection by configuring your imap account settings If the wizard does not open, you can do this:

1. Choose the menu item Edit > Account Settings… (if you have an older version of thunderbird, account settings might be under the Tools menu). 2. Click the Add Account… button.

Step One: Mail Account Once the new account wizard is open, you will see this:

1. Select Email account 2. Click the Next button. Step Two: Identity

1. For Your Name, put whatever you want. 2. For Email Address, put your full email address, e.g. ‘’. 3. Click the Next button.

Step Three: Server Information

1. Select ‘IMAP’ for type of incoming server. 2. For incoming server, put ‘’. 3. For outgoing server, things get a little complicated. If there is already an outgoing server configured, then the settings for this account will use that configuration. If you haven’t yet configured an outgoing server, enter ‘’ for now. It will not work, but will get us to the next question. For configuring the outgoing server, see below. 4. Click the Next button. Step Four: User Names

1. For User Name, put your mail login. For example, if you email address was, your user name would be ‘mylogin’. 2. Click the Next button

Step Five: Account Name

1. For Account Name, put whatever you want. This will be the label attached to this account in the list of accounts which appears on the left side of the Thunderbird window. 2. Click the Next button

Step Six: Finish

1. Hit Finish. This new account will not be fully functional until you make some additional configurations. See the next step, below.

Configuring your IMAP Account
Open Account Settings

If the window Account Settings is not open, choose the menu item Tools > Account Settings… (If you have an older version of thunderbird, account settings might be under the Tools menu). Server Settings
  

Server Type: IMAP Mail Server Server Name: recommended but you can use other safe server) User Name: joe_hill( typical name

Security Settings

1. Click on “Server Settings” 2. Make sure you are using TLS and port 143 – riseup will not work with unencrypted connections! If port 143 doesn’t work, use 993 SSL. 3. Use secure connection: TLS (or if port 143 doesn’t work, then use SSL) 4. Use secure authentication: no! It will not work with this option checked. If you have trouble, try using SSL and port 993.

Server Settings 1. When I delete a message: Remove it immediately. This option will make deleting mail much faster than the other options. But don’t worry, even though you tell Thunderbird to delete the message immediately, it will still end up in your server-side Trash folder. 2. Empty Trash on Exit: If you don’t want your deleted messages lingering around, then check this option. Otherwise, messages in the Trash are deleted after three weeks.

Copies and Folders Here, you have the option of using the Sent and Drafts folders which are stored on the server or the ones which are stored locally. It is up to you which one you decide to use. Choosing a local Sent folder usually makes it faster to send mail, but then you don’t have access to your sent mail when using the web mail interface. Composition & Addressing This section contains a few options for how you compose new mail.

Compose message in HTML format: we suggest NO because not everyone can read HTML messages (especially those who are using screen readers due to difficulties seeing), but it is up to you.

Offline & Diskspace Now you configure Thunderbird to keep a local copy of certain server-side folders. By doing this, you make it much faster to access and search the content of those messages. Thunderbird will then sync your data with the server when you make changes.

Make the messages in my Inbox available when I am working online: check this item.

Outgoing server (SMTP) At the bottom of the list of accounts, you will see a section to add and configure SMTP servers.
      

Server Name: Port: 587 Check the box that says “Use name and password” User Name: joe_hill (don’t put here) Newer versions of Thunderbird (version 3.0 and up) will have “Use secure authentication” here, do not check this box Older Thunderbird will have here “Use secure connection”, if you have this version, then choose TLS Newer Thunderbird will instead have “Connection security” drop down menu, choose STARTTLS

NOTE: If these settings are not exactly like this, you will not be able to send mail! If for some reason it doesn’t work, you can try port 465 with SSL instead of port 587 with TLS

Verifying Riseup’s Certificates The first time you connect to Riseup, you should verify our certificate, to do this, click on “Examine Certificate.” Double check the fingerprints of your certificate is the same as the one we say it should be.

Offline IMAP
Offline IMAP is a command line program written in Python which can be used to sync your remote IMAP account to local Maildirs on your computer. This is an advanced topic: you should not attempt to use offline IMAP unless you understood all the words in the previous sentence. Install On Debian or Ubuntu, you would do this: % sudo apt-get install offlineimap On Mac OS X, visit: configure ~/offlineimaprc [general] accounts = riseup [Account riseup] localrepository = localriseup remoterepository = remoteriseup autorefresh = 10 [Repository localriseup] type = Maildir localfolders = ~/mail [Repository remoteriseup] type = IMAP ssl = yes remotehost = remoteuser = <your login> remotepass = <your password> folderfilter = lambda foldername: foldername in ['INBOX','INBOX.Sent', 'INBOX.Drafts', 'INBOX.Mistakes'] Run In a shell window, run ‘offlineimap’. Alternately, you can choose to run it from cron. Mail clients that support maildir On Linux, there is mutt for the console and Evolution for gnome.

NOTICE: consider Outlook to be a broken mail client. Riseup mail does not officially support Outlook. Some people can get Outlook working, some can’t. We highly encourage people to switch to thunderbird These instructions are for Windows only: the Mac version of Outlook is called Entourage. If you have any recent version of Microsoft Office installed on your computer, you have Microsoft Outlook, which is the full-featured (bloated) version of Outlook Express. Here’s how to set up Microsoft Outlook to use your Riseup account. If you are setting up Outlook for the first time, you will be prompted to enter your full name, email address, etc. If you’re asked to enter a server, enter When it asks what kind of server it is, select POP3. When it says “you’re finished!”, you’re not done yet… 1. Go to Tools, then to Accounts. 2. Go to the Mail tab and click on the Riseup server listed there. (You can rename the server’s display name at any time; for example, Riseup Email Account.) 3. Go to the Servers tab. Make sure both your incoming (POP3) and your outgoing (SMTP) servers are, unless you have a different outgoing server your ISP provides. (I’ll get to that in a minute) 4. Enter your username and password in the appropriate fields, check the box under Outgoing server that says “My server requires authentication,” click Settings, and make sure the “Use the same settings as incoming server” is selected. 5. Click over to the Advanced tab and look under Server Port Numbers (the top). “Under Outgoing Mail (SMTP),” there will be a box marked “This server requires a secure connection (SSL).” Check that box, but leave that option for the Incoming Server (POP3) blank. 6. Now, make sure that the outgoing mail server port number is set to 467. 7. Click OK and apply all the settings you made. 8. If you are not using as your outgoing server, all you need to do is enter the server you will be using in the Outgoing Mail (SMTP) field of the Servers tab. Most ISPs will not require the setting “My server requires authentication” or “This server requires a secure connection.”

NOTE: Riseup recommends that you do NOT USE EUDORA. People report lots of problems when using Eudora with Eudora is pretty easy to set up, even for a non-geek like myself. You can use it to compose emails offline and store them until you log on. You can get a free copy (with non-intrusive advertising) from As per general setup instructions: fill in the values as below by going to the ‘tools’ menu at the top of the window.

Tools > Options > Getting Started
    

Real Name: pseudonym of your choice Return Address: Mail Server (incoming): Login Name: yourusername SMTP Server (Outgoing): check ‘allow authentication’

Tools > Options > Checking Mail
   

Mail Server: Login Name: yourusername Check don’t check without network connection if you use a POP connection Secure Sockets when Receiving: check If Available, STARTTLS

Tools > Options > Incoming Mail
 

check IMAP box check minimal headers only if you don’t want the entire email to be loaded onto your computer (until you read it) or full message except attachments over if you want the body of the email downloaded.

Authentication style: check passwords

Tools > Options > Sending mail
     

Return Address: Domain to add to unqualified addresses: (optional) SMTP server: if you have the option to set a port, set it to 587 if you have the option to pick a secure connection, please pick STARTTLS, or maybe it will be TLS If either of the two above options exist for you, please let us know so we can update this document!

Pine is a text based mail client from the University of Washington. It is available for Unix, Linux, DOS, and Windows from These instructions are for when you are running Pine from your home computer. You can also run pine directly on the mail server, but in that case it is already configured for you. How to configure the alpine mail client to send and receive Riseup mail.

Run the client by typing alpine in a shell. You can also run it with screen, if you have screen installed and wish to leave it running. It will ask if you want to create a mail directory. It doesn’t matter what you answer, since you won’t be using it unless you also have mail on your linux box.

The client will dump you at the main menu after the question. Now, the fun begins: 1. Type s to go to the setup menu 2. c to go into the config. Once in the Config it will give you some familiar options if you’ve configured a mail client before. Hit enter to configure a value and enter to save it.
    

 

For personal name enter your name or whatever you want to display as the sender. For user domain enter Enter for the smtp server replacing RISEUPLOGIN with whatever you use to login to riseup mail. Skip nntp unless you want to add a news server (out of the scope of this how-to). Enter for inbox path (again replacing RISEUPLOGIN) and when you hit enter it will ask what folder to use. Just hit enter again for the default. That will be all for basic functionality and to begin sending and receiving mail. Hit e to exit the setup and y to save.

To configure aliases with alpine Return to the main menu and hit s for setup again. Then:
  

Hit r for rules. It will ask you what type of rule to setup. Hit r for roles. Hit a to add a role.

Again, enter to configure a value and enter to save it.

First change the nickname to something you will remember. I use the part before the @ symbol in the address as the name of the rule. Skip down the list quite a ways until you arrive at the section titled actions begin here. Change set from to NAME<>. Then set reply-to to You guessed correctly, NAME and ALIAS would be your name and alias respectively. Skip down to the section entitled uses begin here this is where you set when you want to use the alias. I set all of them to “without confirmation”, so that it will just use the top one by default and the others when i want it to.

To use an alias besides the default There are three methods: 1. Hit # at the menu instead of the default c for compose. This will ask you which role you want to use to send the message. 2. Another is to set all or some of them to “with confirmation” and alpine will ask you if you want to use the top role. You could then use that role or choose another. 3. The last method is to hit s at the main menu to display the setup and then c for config. Under composer preferences the second option is alternate compose menu. If you switch that on it will give you role options when composing a message.

.pinerc configuration entries For secure IMAP: folder-collections="" {}INBOX.[] (that is all on one line)

K-9 Mail for Android
While Android's Gmail client is pretty sweet, its regular IMAP client leaves a little bit to be desired. For its flexibility and configurability, we recommend K-9 Mail to manage all your non-Gmail accounts on Android.

Setting up an email account When starting K-9 Mail for the first time you are greeted with a welcome screen. Click "Next" to start the account creation wizard. Alternatively, if you've already set up K-9 Mail, and you want to add an additional mailbox account, go to the Home Screen, tap the menu button and select "Add account"

First you are asked for your email address and password. The buttons "Manual setup" and "Next" become only activated after a correctly formatted email address and a password have been typed in.

If you choose "Next" and the domain part of your email address is known to K-9 Mail, the connection settings for the incoming and outgoing server are automatically set up for you. This is the case for some large email providers, e.g. Gmail, Yahoo!, and AOL Configuring the incoming server If the domain is unknown to K-9 Mail or the "Manual setup" button is used, you have to manually enter your server settings. But first you are asked for the account type. Available options are POP3, IMAP, and WebDAV (supported by Exchange versions up to 2007).

All of these are names of protocols to access your mailbox. If your email provider supports it, we strongly recommend you use IMAP. It is superior to the others and well supported by K9 Mail. The following chapters describe the steps necessary to set up an account using the given protocol. IMAP The following two images show all the IMAP related settings. Later we describe them in detail. Note that on a smartphone, your popped-up soft keyboard may be covering some of these entry fields; don't forget to scroll.

Username: This is the username that's needed to authenticate to the IMAP server. The field is initialized with the user part of your email address. Some servers are ok with this; some, generally those which support multiple domains, require that you fill in your entire email address here. Password: Here you enter the password to access your emails. The password you entered at the first step of the account creation process is pre-entered here. So you shouldn't need to change it. This password is the one which an administrator set for you or gave to you, which you use to retrieve mail from the mailbox. IMAP server: This is the hostname or IP address of your IMAP server. Note that this address must resolve to your mail server no matter what network you're connected to -- if you provide a name or IP that's only resolvable inside your private network, that's the only place you'll be able to pick up email. Some firewalls can also cause trouble here. If K-9 can't otherwise guess, it will fill in mail.$DOMAINNAME here. Security type: This specifies the cryptographic protocol that should be used when connecting to your IMAP server. Available options are:
   

None: This doesn't use any transport security at all. SSL (if available): SSL/TLS is used but the certificate isn't checked. SSL (always): SSL/TLS is used and the certificate presented must be valid. TLS (if available): The STARTTLS method is used if available; the certificate isn't checked. If STARTTLS is not available, no encryption is used at all and email will be moved in the clear. TLS (always): The STARTTLS method is used and the certificate is checked for validity.

Note: Avoid using the options "None", "SSL (if available)", and "TLS (if available)" if you can. Authentication type: This specifies which authentication method to use after you have a valid, hopefully encrypted, connection. Available options are:
 

PLAIN: This is the default method. You shouldn't need to change this. CRAM_MD5: Use this if your server doesn't support transport security but supports the CRAM_MD5 authentication method.

Port: This is the port number the IMAP server is listening on. Most of the time you don't want to change this. It will generally be port 143 for non-encrypted connections, 993 for encrypted ones (IMAPS) or occasionally you might need to use 585 (IMAP4-SSL). If your port number is something else, the mail server administrator should have told you. IMAP path prefix: The content of this field is prepended to IMAP folder names before use. The main usage is to manually select which IMAP namespace to use. As the entry field notes, this can be automatically guessed, so usually, you don't need to change this. (IMAP exposes your

mailbox, any internal folders, and usually such things as pre-saved searches and your contacts list all as parts of a folder/directory tree, as you see them from a remote client like K-9.) Use compression on network: If your server supports compression (DEFLATE) it is used on the selected networks to minimize the amount of data transferred. Selecting this, even if your server doesn't support compression, doesn't cause problems. So there should be no need to change these. After clicking "Next" K-9 Mail tries to connect to the server to verify the settings. This means you need to have a working network connection to continue the setup.

Skip down now to Configuring the outgoing server. POP3 POP3 mailbox setup is almost identical to IMAP, except that there is no Path Prefix or Compression available, and the port numbers are 110 for non-secure or 995 for secure connections. There's one additional question: Show only subscribed folders: This shows only subscribed folders. [ It's not clear to me where the subscription takes place, there; POP3 generally only provides access to your inbox from the server, as that's all it has; all foldering and message storage is local in POP, whereas in IMAP the messages all live on the server. --Baylink ] WebDAV (Exchange) This is also similar to setting up an IMAP mailbox, except that the port will be 80 (non-secure) or 443 (secure), and three additional configuration options are prompted for: Mailbox Alias,

OWA Path, and Authentication Path. Your server admin will need to provide these, if you need to use them. Configuring the outgoing server To be able to send mail K-9 Mail needs to know the settings to your provider's SMTP server. In this step of the account creation process you have to provide those details. Below is an explanation of the different settings. In certain circumstances, you may need to use a different outgoing server than you'd expect; we'll discuss those later. Because of the nature of email service, you often (if not always, these days) send outgoing mail to one server, but pick up incoming mail from a separate one; this is why many of the items below say "this is often, but not always, the same as the setting for outgoing mail". Additionally, you can sometimes use one outgoing mail server (often a private or corporate one) for all outgoing mail, bypassing the standard outbound mail servers which you'd otherwise use for a given mailbox. We won't get too deeply into these cases; if you can do this, you probably already know how.

SMTP server: This is the hostname or IP address of your SMTP server. As above, this name or IP must be accessible from any network from which you may want to send mail, whether your cellular carrier's WAN or a private LAN via wifi. See below for more details if you have trouble. Security type: This specifies the cryptographic protocol that should be used when connecting to your SMTP server. Available options are:
  

None: This doesn't use any transport security at all. SSL (if available): SSL/TLS is used but the certificate isn't checked. SSL (always): SSL/TLS is used and it's checked if the certificate is valid.

 

TLS (if available): The STARTTLS method is used if available; the certificate isn't checked. If STARTTLS is not available, no encryption is used at all. TLS (always): The STARTTLS method is used and the certificate is checked for validity.

Port: The port number your provider's SMTP is listening on. This may be 25, 465 or 587, depending on the configuration and transport security settings of your server and K-9. Require sign-in: Tells K-9 Mail whether or not it will be expected to authenticate to the server. In almost all cases this needs to remain checked. Authentication type: This specifies which authentication method to use. Available options are:
 

PLAIN: This is the default method. You shouldn't need to change this. CRAM_MD5: Use this if your server doesn't support transport security but supports the CRAM_MD5 authentication method.

Username: The username that's needed to authenticate to the SMTP server. This is usually equal to either the left-hand side of, or the entire, email address; your mail server operator should have told you what to use as an Outgoing username -- and it will commonly be identical to the incoming username, though not always. Password: The password that's needed to authenticate to the SMTP server. This is often, though not always, identical to the password for the incoming server. To complete the outgoing server configuration click "Next". And again, K-9 Mail tries to connect to the server to verify the settings you just entered.

Account options
After successfully setting up the incoming and outgoing servers, you can now configure some basic settings on how often K-9 Mail checks for new messages, if you want to be notified of new mail, etc. These settings are specific to each account/mailbox you configure; you can set them differently for different mailboxes.

Folder poll frequency: Here you specify in what interval K-9 Mail should check the incoming server to see if there are new messages. Available options are: Never,Every minute,Every 5 minutes,Every 10 minutes,Every 15 minutes,Every 30 minutes,Every hour,Every 2 hours,Every 3 hours,Every 6 hours,Every 12 hours,Every 24 hours Enable push mail for this account: This option is only available for IMAP accounts. When it is enabled a long-lived connection to the IMAP server is established so K-9 Mail can be notified by the server when a new message has arrived. When this is set, you do not need to select a poll frequency, because you do not poll. This generally decreases power consumption in addition to decreasing delivery notification delay, and is a good enough thing that it can be worth selecting a mailbox on the ground that the provider supports IMAP IDLE. Number of messages to display: This value determines how many messages are kept locally cached and displayed. Available options are: 25 messages, 50 messages, 100 messages, 250 messages, 500 messages, 1000 messages, all messages Higher values have some performance implications. Notify me when mail arrives: If this is checked you are notified when a new message was downloaded in this mailbox. Notification type (LED, vibration) and ringtone can be configured later. Notify me while mail is being checked: If this option is enabled K-9 Mail will inform the user when an account is being synchronized by displaying a message in the Android title bar.

Last step To complete the account creation you have to fill out the following two fields:

Give this account a name (optional): This is the name of the account that will be displayed in the account list. If you leave this field empty the email address associated with this account will be used. Type your name: This will be used as your name for messages sent using this account. Once you've done this, click Save, and the account will be completely set up. It will start to attempt to retrieve mail immediately, and this can sometimes be troublesome. If you don't want it to do this, the only thing you can presently do to avoid it is to disable your data connections (Wifi, 3G, 4G) before clicking that last button. You can now set up additional accounts, if necessary, by choosing Menu->Add Account from the Home Screen -- the screen which displays the Unified Inbox and All Messages pseudofolders as well as each of your mailboxes. Setup a Gmail account in K-9 Account Type (POP, IMAP, Exchange): IMAP Incoming Server: Username: Password: yourPassword IMAP server: Security Type: SSL (always) Authentication Type: PLAIN Port: 993 Outgoing Server: SMTP server: Security Type: TLS (always) Port: 587 Check the “Require Sign-in.” box Authentication type: PLAIN Username: Password: yourPassword

Reading Messages K-9 will display a notifier on the window-shade for each mailbox which has new messages. When you tap on this notifier, you will be taken to either the Folder List or the Unread Message List for that mailbox/account, depending on the setting of Account Settings->Notifications>Notification Opens Unread for that account. If you have not turned that setting on, you can tap Inbox to be taken into it. At this point, you're looking at a Message List -- a list of all (or only the unread) messages in a given folder; in this case, the Inbox folder for that email account. This list will display message titles (in bold if not yet read), a time or date (depending on the age of the message), and either the sender's email address or "real name". It may also display a short preview of the body text of the message, a Star icon for flagging messages and/or a multi-select checkbox, if you've enabled those options in Global Settings->Display. At this point, you can tap on a message in the list to open it for reading, or long-press to get the message's Context Menu, which contains these options, on a scrolling pop-up menu with the message's title at its top: Open - Select - Delete - Forward - Reply All - Reply - Send Again - Mark as Unread Archive - Spam - Move - Copy - Share - More from this sender

K-9's folder class system "Folder display mode" determines which folders are to be displayed. There are four choices:
  

All: All folders are displayed. Only 1st Class folders: Only folders that were explicitly set to be 1st Class for their "display class" or "sync class" are shown or automatically synchronized 1st and 2nd Class folders: Only folders that were explicitly set to be either 1st Class or 2nd Class for their "display class” or "sync class" are shown or automatically synchronized. All except 2nd Class folders: All folders are shown, except those that are selected to be in 2nd Class for their display class.

Example Just a few folders I want to see just my Inbox, Janet and Carl folders, and want all of those to be automatically synchronized. (Imagine I have 100 other folders that I do not want to see.) Setting Display mode/class Sync mode/class Account Only 1st Class folders Only 1st Class folders* Inbox 1st Class Same as display class Janet 1st Class Same as display class Carl 1st Class Same as display class John None Same as display class

* You could use All, instead, for the Account "Folder sync mode", because only displayed folders are automatically synchronized. However, if you switched to displaying all folders, K-9 would then automatically sync all folders, which might be time consuming and battery draining.

Message Security
Message security is the practice of encrypting messages on your device so that they can be read only by the intended recipient. Although network security and device security are important, this kind of message encryption is necessary in many situations:
 

Confidentiality: Message encryption is the only way to ensure that only the indented recipients are reading your messages. Authenticity: Message encryption is the only way to ensure the identity of the people you are communicating with.

Practicing message encryption, however, can be a challenge:

You must own a device: The idea with message encryption is that you don’t trust another party to encrypt your communication for you. Therefore, all the encryption takes place on your machine, which means you need to own your own device. Steep learning curve: In order to use encryption software correctly, you will need to spend a significant amount of time learning important encryption concepts like public keys, private keys, keyrings, etc. Limited correspondents: With message encryption, you can only communicate securely with other people using the same software.

Obviously, these guarantees of security don’t apply if your device has been compromised.

Concepts in Message Encryption
What these help pages call “message encryption” is technically called “public-key cryptography”. Here is how it works:
 

Private Key: Everyone has their own private key. As the name implies, this key must be kept private. You use this private key in order to read the encrypted messages sent to you. Public key: Everyone also has a public key. This key is often distributed far and wide. When someone wants to send you a secure message, they use your public key to encrypt it. Only the person with the corresponding private key will be able to decrypt it.

Tips for Learning Message Encryption
Although it provides the highest level of security, public-key encryption is still an adventure to use. To make your journey less scary, we suggest you keep these things in mind:

Be in it for the long haul: using public-key encryption takes a commitment to learning a lot of new skills and jargon. The widespread adoption of public-key encryption is a long way off, so it may seem like a lot of work for not much benefit. However, we need early adopters who can help build a critical mass of public-key encryption users. Develop encryption buddies: although most your traffic might not be encrypted, if you find someone else who uses public-key encryption try to make a practice of only communicating securely with that person. Look for advocates: people who use public-key encryption usually love to evangelize about it and help others to use it too. Find someone like this who can answer your questions and help you along.

Limitations of Message Encryption
Although you can hide the contents of email with public-key encryption, it does not hide who you are sending mail to and receiving mail from. This means that even with public key encryption there is a lot of personal information which is not secure. Why? Imagine that someone knew nothing of the content of your mail correspondence, but they knew who you sent mail to and received mail from and they knew how often and what the subject line was. This information can provide a picture of your associations, habits, contacts, interests and activities.

Social Network Map The US maintains a social network map of everyone
The National Security Agency (NSA), a division of the United States government, maintains a giant database, one of the largest ever, composed of the social network connections of everyone with communication that passes through the United States. This social network map is derived from transactional information. For example, the record that person A made a phone call to person B at a particular time. The database does not include the content of the communication. Because of this, the NSA considers the database to be legal (although the even within the NSA there are those who feel that it is not).

Why is this a problem
At first, a giant social network map does not seem to be very bad. After all, much of the data in the map is not information most people would consider sensitive. So what if the government knows that I call my grandmother on the weekends? The problem is that a social network map of everyone gives the government a blueprint for how to disrupt our social movements. Social network analysis can be used to pinpoint exactly the most efficient way to disrupt an organization. In effect, through our complacency, we have put into the hands of the government the ultimate tool for social control. Because so much of the world’s communication passes through the United States, this affects practically everyone who communicates electronically, not just people who live within the borders of the US.

History of mass transactional surveillance
The kind of surveillance needed to build the giant social network map is called “transactional surveillance.” The US government has been engaging in widespread transactional surveillance since the early 1990s. Prior to 9/11 The NSA has long tracked patterns of calls and email between the US and South American in an effort to identify drug trafficking. According to administration officials, “the Bush and Clinton administrations signed off on the operation, which uses broad administrative subpoenas, but does not require court approval to demand the records.” Seven months before the attacks of September 11th, the NSA proposed to Qwest communication that they build the capacity for the NSA to analyze patterns of calls, emails, and other

transmissions crossing Qwest’s network. The goal was not to target individuals or to capture the content of any of the communication, but rather to discover “groups’ communication with each other in strange patterns” according to former Defense Department and White House officials. Although Qwest declined the request, lawyers suing AT&T claim to have whistleblower evidence that the telecom giant agreed to a similar NSA program during this same period. After 9/11 After the attacks of September 11, these programs grew in scope and sophistication. In 2006, USA Today first broke the story of a massive call database developed after the attacks of September 11 that included the transactional records of every call made through the major telecommunications carriers in the US (except for Qwest). At the time, this data gathering was reported to include telephone calls and was described as the “largest database ever assembled in the world”. Reporting 19 days later, Seymour Hersh first revealed the existence of a secret direct connection from the telecommunication backbone of the internet to the NSA. To the extent that this program limited itself to transactional data and not eavesdropping, no court oversight was needed and no laws were broken, according to officials in the administration. Hersh writes: A security consultant working with a major telecommunications carrier told me that his client set up a top-secret high-speed circuit between its main computer complex and Quantico, Virginia, the site of a government-intelligence computer center. This link provided direct access to the carrier’s network core—the critical area of its system, where all its data are stored. “What the companies are doing is worse than turning over records,” the consultant said. “They’re providing total access to all the data." “This is not about getting a cardboard box of monthly phone bills in alphabetical order,” a former senior intelligence official said… “The N.S.A. is getting real-time actionable intelligence,” the former official said. (Emphasis added) In 2008, the Wall Street Journal published an in-depth story on the NSA’s program of mass transactional surveillance and social network analysis: According to current and former intelligence officials, the spy agency now monitors huge volumes of records of domestic emails and Internet searches as well as bank transfers, creditcard transactions, travel and telephone records. Current and former intelligence officials say telecom companies’ concern comes chiefly because they are giving the government unlimited access to a copy of the flow of communications, through a network of switches at U.S. Telecommunications hubs that duplicate all the data running through it.

The NSA uses its own high-powered version of social-network analysis to search for possible new patterns and links to terrorism. (Emphasis added)

Leslie Cauley. NSA has massive database of Americans’ phone calls. USA Today, May 10 2006.  Seymour Hersh. Listening In. New Yorker, May 29 2006.  Eric Lichtblau, James Risen, and Scott Shane. Wider Spying Fuels Aid Plan for Telecom Industry. The New York Times, December 16 2007.   Siobhan Gorman. NSA’s Domestic Spying Grows As Agency Sweeps Up Data: Terror Fight Blurs Line Over Domain; Tracking Email. Wall Street Journal

The only way to keep your list of associations private is to use a service provider which will establish a secure connection with other service providers. See radical servers for a list of such providers.

Radical Servers
Anti-capitalist, anti-hierarchy, autonomous revolutionary collectives provide free or mutual aid services to radical and grassroots activists.

1 Europe o 1.1 o 1.2 o 1.3 o 1.4 o 1.5 o 1.6 Isole Nella Rete Project o 1.7 o 1.8 o 1.9 (closed to new subscribers) o 1.10 o 1.11 o 1.12 2 North America o 2.1 o 2.2 o 2.3 o 2.4 o 2.5 o 2.6 o 2.7 o 2.8 3 South America o 3.1 o 3.2 o 3.3 Saravá 4 West Asia o 4.1 Taharar! o 4.2 404 team 5 World Wide o 5.1 o 5.2 o 5.3

Europe Some random descriptions of from the aktivix description generator:
  

Aktivix is a donation-funded herd of sweaty techies who desire to enable computer-users to disrupt capitalism in a fluffily non-hierarchical manner. Aktivix is a donation-funded co-operative of fluffy hacktivists who wish to empower collectives to challenge authority in an entirely sustainable manner. Aktivix is a consensus-based network of tired activists who wish to facilitate communitygroups to communicate in an open and non-hierarchical manner.

Aktivix provides:
   

Email Mailing Lists English Wiki and offers services to no commercial, no racist, no Nazi, no fascist, no party, no organization with his own structure (who have much money..), no sessis. We have radical organization like anarchist black cross or Italian social forum.
        

Email accounts Email lists Jabber instant message Website hosting Anonymous remailer Web ananomyzer Keyserver Usenet news server Italian language is an autonomous revolutionary tech collective.
 

Email accounts French language

Voici les fingerprints du certificat SSL de :

SHA-1: 13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 MD5: A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B Voici les fingerprints du certificat SSL de : SHA-1: 92:7C:54:BF:16:D4:F3:DF:90:32:58:96:0B:61:C0:E6:9F:D0:25:A2 MD5: 4D:41:54:68:73:7A:F8:68:19:AC:D0:CF:9D:A5:34:99 le certificat de is an autonomous collective with main point of report, social fights and how these are expressed in cyberspace. The collective is also responsible for managing services. So far, the following services are provided:
     

website hosting online storage e-mail accounts mailing lists blogs discussion forums

Greek language, English supported is an autonomous collective providing mail, lists and webspace for their friends. They support progressive and emancipatory groups and inviduals to change the world. The services are provided to the friends of immerda and their friends, which makes it an invite only project. So far, the following services are provided:
     

e-mail accounts / webmail mailing lists (mailman,schleuder) web hosting (static, php, ruby) in a secure environment wikis and discussion forum blogs git repositories

German language, English and French and a little Spanish supported

Isole Nella Rete Project is a place that offers visibility, relations and a chance of rejoice to those who have been fragmented and dispersed by the deep changes occurred in our society – those who are not aligned with the ‘unique thought’, not yet resigned to marginality – those who still can wish to build a REAL movement able to change the current ‘state of things’.
    

websites mailing lists email for italian social centers and political collectives movement search engine Italian language represents politics by undogmatic leftists in the internet, including electronic services such as mail-providing and web-hosting.
  

Website hosting Email accounts German language provides virtual space for social movements and the political action on the internet. Madrid.
 

Spanish language Website hosting (closed to new subscribers) offers an internet access and an email account to everyone who asks for. Since its beginning in 2002 when the first french laws on monitoring the communications were passed, No-log has a minimum (yet legal) log policy, and tries to inform the users about the surveillance and privacy.
  

French language, English supported Dial-up accounts (56K modems, local connection) Email accounts (pops, imaps, smtp/tls, webmail) intends to immerse itself in that multiverse which exists and organises itself within the web, in order to contribute to this space which embraces cooperation and communication as well as conflicts and struggles.
  

Spanish language Email lists Email accounts provides digi-political infrastructure and
    

Webspace Mail Dns Silc Colaboration provides tech services to the squat movement.
    

Email accounts Website hosting ASCII low-tech internet workspace Support in: English, Italiano, Deutsch, Nederlands, Espanol, Polski, Norsk For the squatting movement

North America

    collective area is aimed at promoting independent ways to generate, distribute and maintain infrastructure to develop technical and social projects. We propose a standalone server because we decided to relate as equals, we decided to avoid using technology as a simple client-consumers, we decided to take control of our lives and take responsibility for what we do and say also in the network rather than settle for what give us ready-made, we decided to build autonomy to inform, communicate and support each other through the network Spanish Hosting Email Mexico City has been providing free web hosting for the anarchist left since 1997. Flag also provides email and mail lists for the anarchist community. Flag hosts over 50 anarchist sites.
  

Hosting Email Lists
The mission at is to research, create and disseminate information, tools, and tactics that empower people to use technology in a way that is liberating. We support and strengthen our local communities through education and action. We strive to learn from each other and focus our skills toward creative goals, to explore and research positive hacktivism, and to defend a free internet and free society!
    

zines security trainings jabber mailing lists email is a tech collective out of SF Bay Area.
   

Email lists Email accounts (but no registration process) Website hosting Support in english and spanish is an anarchist tech collective centered in New York, Moscow, and L.A.
   

Email lists Email accounts Website hosting English and Russian language is a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications. It is a small-a anarchist tech collective centered in Seattle.
    

Email accounts: click here to request an account Email lists Website hosting Server colocation Virtual server hosting is an anarchist tech collective in Vancouver B.C.
     

Email lists Email accounts Website hosting Vancouver area activist calendar Activist directories News feeds is an anarchist tech collective in Toronto, Canada.
  

Email lists Email accounts Website hosting

South America is a temporary autonomous zone; at the same time is a tool forcreating, disseminating, distributing, and maintaining social structures based on freedom and mutual support. entodaspartes is a temporary autonomous zone, and atthe Same time a tool to create, spread, distribute and mantain Structures based onsocial and mutual aid freedom was born in mid-2005 with the objective to promote research on the information society, cyberspace and on technology. With this objective the study group is inserted in the technical-scientific-informational use their knowledge to host pages, wikis, and library cataloging projects and independent and autonomous groups of cyber-activists.

Saravá The Saravá is a multidisciplinary collective that aims to optimize the use of technology by social groups, always focusing on the human aspect of man-machine relationship. Our studies include sharing the same physical structure of small groups that have different purposes, uniting and saving technological resources.

West Asia Taharar! (liberate yourself! in Arabic) is an autonomous project that aims to empower individuals, collectives, and groups working on issues of social justice in West Asia and North Africa by providing them with alternative communication and technical services, information, resources, and support. Taharar!’s vision is to combat the digital censorship prevalent in West Asia and North Africa by providing an accessible pool of resources in local languages (including Arabic, Farsi, Hebrew, Kurdish, etc.) that people to create democratic alternatives by controlling their own secure means of communications through the use and proliferation of free, open source software and technologies.

404 team is Autonomous & anarchist tech collective from Siberia, hosting Siberian indymedia and other activist sites from around xUSSR. 404 team- a team of autonomous, sticking with the principles of anarchism. Our goal- helping in the creation of a free society, a world without hierarchy and oppression, a world without poverty and restrictions on expression, a world where people will be more important than profits. We do this through our support of like-minded allies in the struggle against capitalism and other forms of oppression.

World Wide is an international activity calendar and directory of protests. Anarchist tech collective, mostly nomadic. Online calendars Support in English and Spanish is a decentralized global network of media activists.

News feeds is the idea of providing technical services to emancipatory projects and groups of political change. It is also the groups of people behind this idea. There are many overlapping collectives that help to maintain the projects, but Tachanka operates within many shared principles, forming a supportive network to enable shared aims. The collectives are international, seeking to enhance global solidarity. The foremost guiding principles of the Tachanka project are the Hallmarks of People’s Global Action and the Debian Social Contract.
      

virtual servers dns caching mailing lists mediawiki social bookmarking mysql databases English / French possible

Advanced email security
Using public key encryption in email It is possible to achieve a greater level of email privacy, even with a non-secure email account. In order to do this, you will need to learn about public key encryption. This technique allows you to encode individual messages, making them unreadable to anyone but the intended recipients. The ingenious aspect of public key encryption is that you don't have to exchange any secret information with your contacts about how you are going to encode messages in the future. This technique can be used with any email service, even one that lacks a secure communication channel, because individual messages are encrypted before they leave your computer. Remember that, by using encryption, you could attract attention to yourself. The type of encryption used when you access a secure website, including a webmail account, is often viewed with less suspicion than the type of public key encryption being discussed here. In some circumstances, if an email containing this sort of encrypted data is intercepted or posted to a public forum, it could incriminate the person who sent it, regardless of the message's content. You might sometimes have to choose between the privacy of your message and the need to remain inconspicuous.

Encrypted Email What is encrypted email?
Encrypted email is a way of keeping the content of your email safe from eavesdropping as it bounces around the internet. The most common type of encryption is OpenPGP (OpenPGP is the specification, PGP is “Pretty Good Privacy” and is proprietary, GPG is GNU Privacy Guard and is free software). There are many resources on the internet that can offer you a detailed explanation of how encryption works. For our purposes, there are three components that are useful to understand: public key, private key and passphrase. Your public key is, as you can tell from the name, publicly available. Sometimes, people use keyservers to share public keys to make sending emails using encryption easier. Whenever you wish to send encrypted email, you must have the recipient’s public key. Similarly, whenever someone else wants to send you encrypted email, they must have your public key. A private key is connected to exactly one public key. Without a private key, the content of an encrypted message is extremely difficult to extract. In the age of supercomputers, nothing is impossible, but decrypting a message without the private key is extraordinarily difficult. Your private key is extremely important and should be kept in a safe place at all times. Your passphrase should be at least 21 characters in length, should contain UPPER and lower case characters, as well as symbols (&$"{@). Your passphrase unlocks your private key and permits it to be used, in conjunction with your public key, to send and receive encrypted email.

How do I use encrypted email?
There are three basic functions you can perform using GPG: signing, encrypting and verifying. Signing: When you sign something, you use your private key and your passphrase to generate a signature block that is appended to the item you are signing. This signature block is generated from two things: (1) a numerical value computed from the contents of the message and (2) your private key. Verifying: When someone receives something that has been signed, they can verify it using the public key with which it was encrypted. The public key could be downloaded from a keyserver, or perhaps emailed by the sender. Verifying establishes two things —> (1) the message was signed by someone who has access to the associated private key and (2) the contents of the message were not modified in transit. Encrypting: To encrypt a message, you need the public key of the recipient. You do not need a passphrase or even a gpg key of your own to encrypt something. However, most programs will

also encrypt anything to your own public key when sending. Otherwise, once you encrypt a message, you would no longer be able to read it. Once it is encrypted, the contents of the email are no longer viewable in transit. However, the subject, sender, and recipient are still visible.

Can I send and receive encrypted email using webmail?
Some of the webmail programs allow you to send and receive encrypted email. The software is called IMP. However, one problem with this software is that your private key is stored on the servers. This makes it vulnerable to legal process in the United States (such as a search warrant or subpoena) and is therefore not recommended. It is much better for users who want to use encrypted email to utilize an email client (such as thunderbird) to send and receive email, while keeping your private key stored safely on your local machine.

What are some limitations of encrypted communications?
Encrypted communications do not protect you from relational surveillance, which is the monitoring of associations between people. For example, if is sending encrypted emails regularly to, someone who was intercepting the communications between the two may not know what the two are discussing, but the basic fact that the two people are regularly communicating is useful in and of itself. Additionally, the subject line of the message is not encrypted. Signing and verifying do not ensure that the email was in fact sent by the email address associated with the key. Spoofing return email addresses is very easy. Thus, someone with the email address could: (1) create a key for, (2) upload the key to a public keyserver and (3) send an email from that appears to come from that is signed. If you merely download the public key and verify the message, it will show a “good signature from” even though the message did not come from Alice at all! This is why the web of trust is so important (see below).

How can I verify a key owner’s identity?
So you are setup with encrypted email and happily sending and receiving messages. But how do you know that you are actually communicating with the person you think ? That’s where key fingerprints come into play. Each public key has a unique fingerprint. The fingerprint is generated through a hash function, which is like a one-way portal. For any specific input, there is one and only one corresponding output. Just like your fingerprints are unique, there is only one fingerprint for any specific public key. Why is this useful? Because in order to be certain of the integrity of the process, you need to make sure that when you are receiving a signed email from you are actually receiving email from your friend Alice. There are two (or possibly three) ways you can accomplish this:

1. You and Alice meet in person and Alice gives you an electronic copy of her public key. 2. You and Alice meet in person and Alice gives you a copy of her key fingerprint and you verify that the fingerprint matches that of the public key. 3. (Less secure) If you know Alice very well and recognize her voice, Joe could read the fingerprint to you over the phone. The fingerprint is not secret information — anyone can generate the fingerprint using the public key.

How can I sign a key and why would I want to?
Taking things to the next step, let’s say you’ve exchanged keys with Alice in a secure manner. Now you’re done and can safely email Alice, knowing that you are actually exchanging emails with her (because she is signing her emails), and knowing that the contents of your communication are safe from snooping (because you are encrypting your emails using Alice’s public key). But let’s say Alice meets Rita at an action, and Alice and Rita exchange keys in a secure manner. You know and trust Alice, but you haven’t met Rita. How can you establish that Rita’s key is genuine without having to meet her in person? Enter the web-of-trust and key signing. Once Alice has verified Rita’s key in a secure manner, Alice can sign Rita’s public key. There are two schools of thought on key signing – one group believes that you should only sign someone’s key (even someone who you’ve known for a long time) if you have verified that the real name associated with the email address matches that on a government-issued photo identification (such as a passport). Others will sign keys without verifying the key owner’s real name, which establishes that the owner of the email address is the owner of the key, but not that the real name associated with the email address owns the key. If you trust Alice to carefully verify individual’s keys, then you can set in your keyring a level of trust for Alice’s key. Then, if you haven’t met someone in person to verify their keys, but Alice has, you can establish a trust-level for a key based on the fact that Alice has signed it. You can host a key signing party to encourage your friends and colleagues to exchange keys and sign them. This provides an avenue to verify the identity of people who you have not met where others whom you trust have met the individual.

Do you have any other tips about encrypted email?

  

  

DO save your private key on an encrypted hard disk partition — this protects the integrity of your key in case your computer is lost, stolen, or seized. DO NOT share your private key with anyone or save the private key on a public computer. USE A STRONG PASSPHRASE – Your passphrase is your last defense against the unauthorized use of your key. Don’t ruin the whole affair by using a weak passphrase. Passphrases should be longer than 21 characters and should not contain words from a dictionary or other easily guessable combinations. A random passphrase that you keep written down in a safe location is better than a long passphrase that includes dictionary words. USE GENERIC SUBJECT LINES – Subject lines of emails are not encrypted. Thus, you should always use very generic subject lines in your encrypted communications. HOST A SIGNING PARTY – Encourage your friends to get a gpg key and sign each other’s keys. SEND ENCRYPTED EMAILS EVEN WHEN THE CONTENTS ARE NOT IMPORTANT – This is vital!! If the only encrypted email traffic involves secret communications, it creates a much smaller amount of traffic to be analyzed. If everyone used encrypted email for all communications, even for deciding about what kind of pizza to have, this would increase the amount of encrypted email traffic.

Email Encryption with PGP
The universal standard for public-key encryption is Pretty Good Privacy (PGP): and GNU Privacy Guard (GPG): . GPG is Free Software: , while PGP is a proprietary product (although there are many freeware versions available such as ). Both work interchangeably and are available as convenient add-ons to mail clients for Linux, Mac, and Windows. For information configuring your mail client to use public key encryption, see mail client pages below. In particular, read Apple Mail and Thunderbird. Otherwise, you should refer to documentation which comes with your particular mail client.

Apple Mail

Apple Mail, also known as or simply Mail, is the full featured mail client which comes with OS X. It is pretty and easy to use, but we don’t recommend it because it is not Free or OpenSource Software (software libre). Unfortunately Apple Mail seems to have gotten worse over time; we have been noticing more and more problems with Apple Mail and IMAP support. This problem seems to only happen sometimes, and doesn’t affect everyone. For this reason, we recommend you consider using Thunderbird instead of Apple Mail. If you do want to use Apple Mail, then you can follow the instructions here. The first thing you need to determine before you configure Apple Mail, you need to decide if you will be using IMAP or POP. If you are unsure, you probably want IMAP.

Apple Mail IMAP

1 Adding a New IMAP Account o 1.1 First Time User o 1.2 Existing User 2 Managing Account Settings o 2.1 Setup Encryption For Receiving Mail o 2.2 Setup Encryption For Sending Mail o 2.3 Complete the Setup! 3 Setting up Folders

Adding a New IMAP Account First Time User
The first time you start mail, a dialog will appear requesting your account information: 1. 2. 3. 4. 5. Enter your name. Enter your full email address, i.e. Both incoming and SMTP servers should both be “”. Select “IMAP” account type Your username is the part of your email address before the@sign, in this case, “joe_hill”. 6. VERY IMPORTANT! Do not enter your current password! Why? Because it will be transmitted over the internet unencrypted, and someone could get it from you! We need to setup some things before it will be encrypted. Enter an incorrect password here. You will occasionally get a dialog box requesting your password when mail attempts to check your mail. Ignore it until you finish setting up the secure connections. Just hit cancel when these messages appear. 7. Select “OK”.

An error message will appear, but just click continue:

Existing User
This section is for adding an account profile if you have already been running Apple Mail. 1. 2. 3. 4. 5. 6. 7. 8. Select menu item Mail > Preferences… Select the Accounts tab. Click on the + button in the lower-left corner of the screen. For account type, select IMAP. Enter a description (it can be anything; we suggest your email address). Enter your full email address, i.e. Your incoming mail server is Your user name is the portion of your riseup address before the “@”

Managing Account Settings
We assume you have the preferences window open. To do so: 1. Select menu item Mail > Preferences…

Setup Encryption for Receiving Mail
1. Click on Accounts and select for example: your riseup email account 2. Now select the Advanced tab.

1. Click “Automatically synchronize changed mailboxes” 2. Click “Use SSL” Note: If you have trouble receiving mail, try using port 993 instead of 143.

Setup Encryption for Sending Mail
1. Click On “Account Information”

2. Make sure that your SMTP server is set to Note for existing mail users: You will need to select “Add Server” from the SMTP pulldown menu. 3. If it is, select “Server Settings” 4. 5. 6. 7. 8. For Server Port, put 587. Select Use Secure Socket Layer (SSL). Set Authentication to Password Now, enter your correct user name and your correct password. Select OK.

Note: If you have trouble sending mail, try using port 465 instead of 587. For more information on configuring the outgoing server, follow this guide.

Complete the Setup!

Now, simply enter you correct password in the password box. Your password will be encrypted when sent to the selected server to send and receive email. When using secure connections, you will likely receive an error message that the server certificate is not trusted. Visit certificates page for detailed instructions on how to configure your computer to work well with certificates.

Setting up Folders
The default setup will save your sent mail, drafts, and trash on your local machine instead of on the server. If you want to save it on the server, follow these steps: 1. Expand the directory under your account on the left side of the screen to expose all of the folders 2. Select the relevant folder (e.g. “Trash”, “Sent”, “Drafts”) 3. Select the “Mailbox” menu and select “Use this mailbox for” and then select the obvious choice. 4. Repeat for the other mailboxes

Thunderbird What is Thunderbird?

Thunderbird is the mail client recommended by It is Free Software and is available for Linux, Windows, and Mac OS X. You can download Thunderbird from the thunderbird website: As Free Software, Thunderbird is part of the digital commons, a kind of common treasury for all. Outlook, on the other hand, is Microsoft’s tool for world domination. Enigmail and GnuPG will give you access to authentication, digital signing and encryption to ensure the privacy and security of your email communication. Thunderbird has many features, including: IMAP and POP support, multiple accounts, quick search, spell as you type, advanced spam controls, RSS, virtual folder views, message filtering, address book, and support for OpenPGP encryption. Homepage
   or Computer Requirements

All Windows Versions Managing multiple email accounts is a complex task from the digital security viewpoint; therefore, we strongly recommend that you use Mozilla Thunderbird for this purpose. The security advantages available in Thunderbird, a cross-platform free and open source program are even more important when compared to its commercial equivalents like Microsoft Outlook. However, if you would prefer to use a program other than Mozilla Thunderbird, we recommend the following free and open source alternatives: Claws Mail available for GNU Linux and Microsoft Windows; Sylpheed available for for GNU Linux, Mac OS and Microsoft Windows;

Alpine: available for GNU Linux, Mac OS and Microsoft Windows. The essential benefit of using Portable Thunderbird is that you may store local copies of your emails on the removable drive or USB memory stick. In addition to this, both the Portable Thunderbird programs itself, as well as all local copies of your emails, can be concealed within a TrueCrypt encrypted volume. As such, you improve the security of your emails and conceal your email accounts and addresses you use. However, keep in mind that your external device or USB memory stick, and portable tools are only as safe as the computer you are using, and may risk being exposed to adware, malware, spyware and viruses.

Download and Extract Portable Thunderbird
Click to be directed to the appropriate download site.

Click Click to save the computer; and then navigate to it. Double click may appear. If it does, click

to activate the Source Forge download site. installation file to your

; the Open File - Security Warning dialog box to activate the following screen:

The Mozilla Thunderbird, Portable Edition | Installer window


to activate the following screen:

The Choose Install Location window Click to activate the Browse for Folders window as follows:

The Browse for Folder window Navigate to your destination external drive or USB memory stick, as shown in Figure 3 above, to confirm the location of the Mozilla Thunderbird, Portable and then click Edition file, and return to the Choose Install Location window.


to activate the Installing window and begin extracting the Mozilla to complete the extraction

Thunderbird, Portable Edition file, and then click process.

Navigate to the removable drive or USB memory stick which the Mozilla Thunderbird, Portable Edition file was saved. Double click to open your removable device or USB memory stick, and it should resemble the following:

The newly installed Mozilla Thunderbird Portable Edition displaying the Thunderbird Portable folder

How to Install Thunderbird on windows
Installing Thunderbird is a quick and straightforward process. To begin installing Thunderbird, perform the following steps: Double click If it does, click ; the Open File - Security Warning dialog box may appear. to activate the following screen:

The Extracting status progress bar After the Thunderbird files have completed extracting themselves, the Welcome to the Mozilla Thunderbird Setup Wizard window appears. Click Click to activate the Mozilla Thunderbird - Setup Type window. to accept the default settings and activate the following screen:

The Mozilla Thunderbird - Summary screen
Click to start the installation process. The Mozilla Thunderbird - Installing progress status window appears. After the installation process is complete, the following screen appears:

The Completing the Mozilla Thunderbird Setup Wizard screen Click to complete the installation process.

Tip: Thunderbird will automatically launch itself if the Launch Mozilla Thunderbird now check box is enabled, as shown in figure above. To open the program in the future, either double click the Thunderbird desktop icon, or select > Programs > Mozilla Thunderbird > Mozilla Thunderbird.

Installing Thunderbird on Mac OS X
To install Thunderbird on your Mac, follow these steps: Use your web browser to visit the Thunderbird download page at This page detects your computer's operating system and language, and it recommends the best version of Thunderbird for you to use.

Download the Thunderbird disk image. When the download is complete, the disk image may automatically open and mount a new volume called Thunderbird. If the volume did not mount automatically, open the Download folder and double-click the disk image to mount it. A Finder window appears:

Drag the Thunderbird icon into your Applications folder. You've installed Thunderbird! Optionally, drag the Thunderbird icon from the Applications folder into the Dock. Choosing the Thunderbird icon from the Dock lets you quickly open Thunderbird from there.

Note: When you run Thunderbird for the first time, newer versions of Mac OS X (10.5 or later) will warn you that the application was downloaded from the Internet. If you downloaded Thunderbird from the Mozilla site, click the Open button.

Installing Thunderbird on Ubuntu
There are two different procedures for installing Thunderbird on Ubuntu: one for version 10.04 or later, and one for earlier versions of Ubuntu. We describe both below. Thunderbird will not run without the following libraries or packages installed on your computer:
   

GTK+ 2.10 or higher GLib 2.12 or higher Pango 1.14 or higher X.Org 1.0 or higher

Mozilla recommends that a Linux system also has the following libraries or packages installed:
   

NetworkManager 0.7 or higher DBus 1.0 or higher HAL 0.5.8 or higher GNOME 2.16 or higher

Installing Thunderbird on Ubuntu 10.04 or newer If you're using Ubuntu 10.04 or newer, the easiest way to install Thunderbird is through the Ubuntu Software Center. Click Ubuntu Software Center under the Applications menu.

Type "Thunderbird" in the search box and press the Enter on your keyboard. The Ubuntu Software Center finds Thunderbird in its list of available software.Click the Install button. If Thunderbird needs any additional libraries, the Ubuntu Software Center alerts you and installs them along with Thunderbird.

You can find the shortcut to start Thunderbird in the Internet option under the Applications menu:

How to Disable the Global Search and Indexer option in Thunderbird
Warning: The Global Search and Indexer feature in Thunderbird must be turned off to optimize its performance. Depending on the quantity and size of your emails, it may reduce the speed of your system, by continuously and unnecessarily over-writing of information to your hard drive. As your hard drive becomes increasingly full, it will slow down many unrelated system operations. To turn off the Global Search and Indexer option, perform the following steps: Step 1. Select Tools > Options in the Thunderbird console to activate the Options window.

Step 2. Click

to activate its associated tab as follows:

The Options window displaying the Advanced tab Step 3. Click the Enable Global Search and Indexer check box in the Advanced Configuration section to disable this option as shown below:

The Advanced Configuration section Now that you have successfully disabled this option, you are ready to register an email account in Thunderbird.

How to Register an Email Account in Thunderbird in windows The Import Wizard - Import Settings and Mail Folders window only appears the first time you install Thunderbird. Step 1. Uncheck the Don't import anything option so that it resembles the following screen:

The Import Wizard - Import Settings and Mail Folders Step 2. Click to activate the following screen:

The Mail Account Setup window Step 3. Type in your name, email address and password in the corresponding text fields; click the check box to disable the Remember my password option so that your screen resembles figure 7 above.

Step 4. Click

to activate the following screen:

The Mail Account Setup window with the IMAP - Access folders and messages from multiple computers option enabled

IMAP and POP: Descriptions and Usage
Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) are two different methods used to store and receive emails.

Internet Message Access Protocol (IMAP): When using IMAP all your folders (including Inbox, Drafts, Templates, Sent, Trash and all other folders) reside on the email server. Therefore, you may access these folders from a different computer. All messages will reside on the server and initially, only the email messages headers or title bars (containing information like the date and time, message subject, name of sender, etc.) are downloaded for display on your computer. Full messages are downloaded when you open them. Thunderbird may also be configured to store copies of messages from all or some of the folders on your computer, so that you may work with them offline (that is, without using an Internet connection). In IMAP when you delete emails or folders, you do so on both your local computer and on the server. Post Office Protocol (POP): When using POP only the Inbox (a folder into which new incoming messages are delivered) resides on the server; all other folders are located on your local computer only. You may choose between leaving messages in the Inbox folder on the server after you have downloaded them to your computer, or you may delete them from the server. If you access your email account from a different computer, you will only be able to view messages in the Inbox folder (new messages, and old messages which you have not deleted). Step 5. Click to create your account, and activate the Thunderbird console with the email account displayed in the All Folders sidebar at left as follows:

The Mozilla Thunderbird main user interface displaying the newly created gmail account

Note: To add another email account, select File > New > Mail Account... to activate The Mail Account Setup window in this section, and repeat step 3 to step 5. After you have successfully registered your email accounts in Thunderbird, the next time you open the main user interface, you will be prompted to enter your password for each account as follows:

The Mail Server Password Required window Note: Although password recording or 'remembering' features are generally not recommended from an internet privacy and security standpoint, Thunderbird does support a Master Password feature. This feature enables you to use one password to protect any passwords related to your different accounts, entered during the setup process. For more information about this feature, please refer to section How to Configure the Security tabs in Thunderbird - The Password tab.

How to Register Blogs, News Feeds and Newsgroup Accounts
To create and register an account for blogs, news feeds and newsgroups, perform the following steps: Step 1. Select > File > New > Other Accounts to activate the Account Wizard > New Account Setup window. Step 2. Check either the Blogs & Newsfeeds or Newsgroup account option, and then click to activate the following screen:

The Account Wizard - Account Name window Step 3. Click to activate the following screen:

The Account Wizard - Congratulations window Step 5. Click console. to complete the account setup process, and return to the Thunderbird

Configure the Security Settings in Thunderbird

About the Security Options in Thunderbird

In the context of Mozilla Thunderbird, security generally refers to protecting your computer from harmful or malicious email messages. Some may be just spam; others may contain spyware and viruses. There are several settings which must be configured, disabled or enabled within Mozilla Thunderbird to strengthen its ability to defend your system from attacks originating from emails. It is also absolutely crucial that you also have anti-malware and firewall software installed. How to Disable the Preview Pane in Thunderbird The Thunderbird console is divided into three areas: The left sidebar displays the folders for your email accounts, the right side shows a list of messages, and the bottom pane displays a preview of a selected email message. The preview is automatically visible as soon as a message has been selected. Note: If an email contains any malicious code, then this message pane could activate it; therefore it is a good idea to disable it.

The Thunderbird main user interface

To disable the preview pane, perform the following step: Step 1. Select View > Layout submenu, and select the Message Pane option to disable it as follows:

The View menu displaying the Layout submenu and Message Pane option selected The Message Pane will disappear, and you must double-click an email message to read its contents. If an email message looks suspicious (perhaps it has an unexpected or irrelevant subject title, or comes from an unknown sender), you now can choose to delete it without having to preview its content.

How to Disable the HTML Feature in Thunderbird Thunderbird lets you use Hypertext Markup Language (HTML) to compose and read messages. This lets you receive and send messages that include colors, fonts, images and other formatting features. However, HTML is the same language used for Web pages; viewing messages with HTML formatting, may expose you to malicious emails which pose some of the same kinds of threats posed by web pages. To disable the HTML formatting feature, perform the following step:

Step 1. Select View > Message Body As > Plain Text as follows:

The View menu displaying the Message Body submenu with the Plain Text option selected

How to Configure the Security Options Thunderbird has two built-in junk mail filters that can help you determine which of your incoming messages are spam. By default, these filters are disabled, so you must enable them for use. Even after they have been enabled, you will continue to receive junk mail, but Thunderbird will automatically sort them into the Junk folder. Email scams - also referred to as phishing emails - usually attempt to make you click on a link that is embedded in the email. Frequently, these links direct your browser to a web site that will attempt to infect your computer with a virus. In other cases, the link will take you to a web site that appears to be legitimate, to deceive you into entering a valid user name and password, which can then be used or sold by the entity or people for commercial or malicious purposes. Thunderbird can help to identify and warn you about emails like this. Additional tools that can help prevent infection from malicious websites are described in the Other Useful Mozilla AddOns section of the Firefox chapter.

The first set of assorted junk mail and security controls are accessed through the Options Security window through which the majority of these privacy and security options are configured. To access them, perform the following steps: Step 1. Select Tools > Options to activate the Options window.

Step 2. Click

to activate the following screen:

The Security window displaying its associated tabs

The Junk tab Step 1. Check the relevant options in the Junk tab as shown in figure above, to enable Thunderbird to delete email that you have determined to be junk mail. Additional junk mail settings are described later. The Email Scams tab Step 1. Check the Tell me if the message I'm reading is a suspected email scam option to enable Thunderbird to analyze messages for email scams as follows:

The Email Scams tab The Anti-Virus tab Step 1. Click the Anti-Virus tab to activate the following screen:

The Anti-Virus tab This option lets your anti-virus software scan and isolate individual messages as they arrive. Without this setting enabled, it is possible that your entire Inbox folder could be 'quarantined' if you receive an infected message. Note: This assumes that you have a functioning anti-virus program installed. Please see Avast for more information on how to install and configure anti-virus software. The Passwords tab Step 1. Click the Passwords tab to activate the following screen:

The Passwords tab Important: We strongly recommend keeping your passwords private and secure using software designed precisely for this purpose; please refer to KeyPass for more information.

Note: The options in the Password tab will only work if you checked the Remember password option in the first Mail Account Setup screen when you registered your email accounts with Thunderbird. Step 2. Click to activate the following screen:

The Saved Passwords window

The Saved Passwords window lets you remove or view all the corresponding passwords for each of your accounts. However, to maximize your privacy and security, you can set a Master Password make all of your account passwords inaccessible to anyone else familiar with the Thunderbird password options. Step 3. Check the Use a master password option as shown in figure above to enable the Change Master Password... button. Step 4. Click following screen: to activate the

Change Master Password window

Step 5. Type in an appropriately difficult password that only you will remember, and then click to confirm it as your Master Password. The next time you click , the following screen appears prompting you to enter the master password as follows:

The Password Required screen

The Web Content tab A cookie is a small piece of text which your web browser uses to authenticate or identify a given web site. The Web Content tab lets you specify which blog, news feed or newsgroup cookies are reliable and safe. Step 1. Click the Web Content tab to activate the following screen:

The Web Content tab Step 2. Select the I close Thunderbird item in the Keep until: option to delete those cookies whenever you close Thunderbird for additional security.

How to Enable the Account Settings Junk Mail Filter The second type of Thunderbird junk mail filter is available through the Account Settings Junks Settings window. By default, these filters are disabled, so they must be enabled if you wish to use them. Whenever junk emails arrive Thunderbird will automatically sort them into the Junk folders associated with different accounts. Step 1. Select Tools > Account Settings to activate the Account Settings window. Step 2. Select the Junk Settings option associated with a specific Gmail or RiseUp account in the sidebar. Step 3. Enable the Junk Settings options so that your own Account Settings - Junk Settings screen resembles the following:

The Account Settings - Junk Settings window Step 4. Click to complete the configuration of the Account Settings window.

Note: The Junk Settings options must be configured separately for each account. As such, junk mail for a Gmail or a RiseUp account will be placed in its corresponding Deleted folder. Alternatively, you may designate a Local Folder to receive junk mail from all your accounts.

The Account Settings - Junk Settings window, displaying the settings for a central junk folder Step 1. Select the Junk Settings option directly beneath Local Folders in the sidebar. Step 2. Select the Local Folders item from the "Junk" folder on: drop-down list as displayed in figure above. Step 3. Click to complete the configuration of the Account Settings window.

Preparing a Gmail account for use with Thunderbird
Log in to your Gmail account in your browser. Select Settings from options in the top right, and then go to the tab Forwarding and POP/IMAP. Click Enable IMAP and then Save Changes.

Configuring Thunderbird to use SSL/TLS When you start up Thunderbird for the first time, you will enter a step-by-step configuration procedure for setting up your first account. (You can invoke the account setup interface any time by selecting File | New | Mail Account). On the first screen, you will be asked for your name, your email-address and your password. The value you enter for your name does not have to be your real name. It will be shown to the recipient of your messages. Enter the information and click Continue.

On the next screen, Thunderbird will attempt to determine the server names based on your email address. This may take some time, and will only work if Thunderbird knows the settings for the mail servers for your email provider. In either case you will be presented with a window where you can modify the settings. In the example below, Thunderbird has detected the settings automatically. You can see the protocol at the right side of the server names. This should be either SSL/TLS or STARTTLS. Otherwise your connection is insecure and you should attempt manual setup.

When you are finished, click Create account. If Thunderbird could not determine your server settings, click on Manual setup to configure the server names yourself.

Manual setup Use the Account Settings interface to manually configure accounts in Thunderbird. The Account Settings dialog will automatically open if you select Manual setup in the configuration wizard. In this case we are only interested in the incoming and outgoing mail server names, and the protocol we use to connect with them. As you can see in the examples below, we enter the Gmail server names and we force them to use SSL, a secure method to connect to the servers.

Under 'Server Settings', we will find only the incoming (IMAP) server and its settings for that specific account.

After Server Name enter the name of the IMAP server, in this case As you can see we have selected 'SSL/TLS' under the connection security setting. This enforces encryption. Do not be scared by the authentication method Normal password. The password will be automatically encrypted due to our secured connections to the server.Finally, configure the outgoing server for the account. Click on Outgoing Server (SMTP) in the left panel.

Again, we have selected SSL/TLS under Connection security. The port will default to 465 and this should generally not have to be changed.

Setup Thunderbird on Ubuntu for Riseup mail
Start the Account Wizard The first time you run Thunderbird, the account wizard will walk you through setting up an account. If the wizard does not open, you can do this:
1. Choose the menu item Edit > Account Settings…

2. Click the Add Account… button.

Step 1 You will see a prompt. Enter in your name, email address and password.

Click Continue Step 2 Thunderbird will pull the settings from riseup’s servers.

Now you need to decide if you want to use IMAP or POP. It will by default pick IMAP, so if you want IMAP you can simply click continue. To switch to POP, click edit. Then click the dropdown menu that says IMAP and change it to POP. Now click Re-Test Configuration. It should show you using POP. If so, click Continue.

Step 3 If this does not work, you may have entered your username or password wrong. Click Start Over and try again. Otherwise… You’re done! It should automatically check your mail now and every few minutes after. Have fun using Thunderbird!

Download and Extract Portable GPG for Thunderbird
Step 1. Click to be directed to the download site. Step 2. Click to activate the to

GPG_for_Thunderbird_Portable_1.4.11.paf.exe download window, and then click installation file; and then navigate to it. save the Step 3. Double click dialog box may appear. If it does, click

; the Open File - Security Warning to activate the following screen:

The Installer Language window Step 4. Double click Installer window, and then click to activate the GPG for Thunderbird | Portable Apps to activate the following screen:

The Choose Install Location window

Step 5. Click

to activate the Browse for Folder window as follows:

The Browse for Folder window Step 6. Click to return to the Choose Install Location window (Figure 7) and then after the extraction

to begin extrating Portable GnuPG, and then click process has been completed.

Step 7. Navigate to the destination removable drive or USB memory stick, and then select E:\ThunderbirdPortable\App to verify that the GPG for Thunderbird Portable program has been successfully extracted.

The destination removable drive window displaying the newly extracted GPG for Thunderbird Portable program

How to Download and Install Enigmail Enigmail is a Mozilla Thunderbird add-on that lets you protect the privacy of your email communication. Enigmail is simply an interface that lets you use GnuPG encryption program from within Thunderbird. The Engimail interface is represented as OpenPGP in the Thunderbird console tool bar. Step 1. Click to be directed to the download site.

Step 2. Click

beneath the Download title in the top left corner of the page to save the

to activate the enigmail-1.1.2-tb-win.xpi download window, and then click it to your computer. Step 3. Open the Thunderbird Portable folder, and then double click open Thunderbird Portable.


Step 4. Select Tools > Add-ons in the Thunderbird Portable main console as follows:

The Thunderbird Portable main console with the Add-ons item selected

This will activate the following screen:

The Thunderbird Portable Add-ons window Step 5. Click Portable. to complete the Enigmail installation, and restart Thunderbird

Encrypting email with Thunderbird
Here we show you how to easily use OpenPGP with Enigmail to encrypt/decrypt/verify the authenticity mail you receive Want to enhance your email security by learning how you can use OpenPGP with Thunderbird? With this short primer gets you started in no time encrypting and decrypting emails and verifying that emails you receive are from the people who you expect them to be.

Install Enigmail and Run the OpenPGP Setup Wizard
1. If you haven’t done so already, generate an OpenPGP key pair 2. Download Enigmail from Linux users – It’s best to download and install the extension to get the latest one, rather than using one provided by your package manager, which is likely outdated. Thunderbird will automatically install updates to Enigmail in the future. You are free to download the best choice compatible with your operating system and your browser version. 3. Navigate to Tools → Add-ons 4. Press the Install… button 5. Navigate to the Enigmail .xpi file and select Open. Enigmail will then install. 6. Restart Thunderbird if necessary 7. Navigate to the new top-menu entry OpenPGP → Setup Wizard 8. Select Yes and hit Next 9. Choose whether you want to setup OpenPGP for all identities or just for select identities, if you’ve created more than one identity in Thunderbird. If you have multiple identities, choosing to setup OpenPGP for all identities will use one key for all of them. 10. Choose whether you want to sign all of your outgoing emails. Signing does not encrypt emails—it places your digital signature on all of your outgoing emails to allow others to verify that you sent the email. It is recommended not to sign all of your outgoing emails as it strongly links you to everything you send out via unencrypted email directly to yourself. Its best just to encrypt your emails to everyone you know who supports encryption. 11. Choose whether you want to encrypt all of your outgoing emails by default. This is not recommended as it is cumbersome if your recipient doesn’t support encryption. You can setup encryption rules later on, which will enable you to always send encrypted emails under conditions you determine. 12. Choose to make some changes recommended by OpenPGP. These are all technical configuration changes in thunderbird that streamline the OpenPGP process and avoid configurations that cause breakages. These are all safe changes, though they do change functionality in some cases, most notably by disabling composing HTML messages. 13. Either create a key if you haven’t done so already, or select an existing key to use. If you have multiple keys and/or multiple identities, you may have to make some manual changes later to associate the right key with the right identity. 14. Review the proposed changes and hit Next 15. If there are no errors, OpenPGP is ready to use. Hit Finish.

Using Enigmail with GnuPG in Thunderbird

An Overview of GnuPG, Enigmail and Private-Public Key Encryption Enigmail is a Mozilla Thunderbird add-on that lets you protect the privacy of your email communication. Enigmail is simply an interface that lets you use GnuPG encryption program from within Thunderbird. The Engimail interface is represented as OpenPGP in the Thunderbird console tool bar. Engimail is based on public-key cryptography. In this method, each individual must generate her/his own personal key pair. The first key is known as the private key. It is protected by a password or passphrase, guarded and never shared with anyone. The second key is known as the public key. This key can be shared with any of your correspondents. Once you have a correspondent’s public key you can begin sending encrypted emails to this person. Only she will be able to decrypt and read your emails, because she is the only person who has access to the matching private key. Similarly, if you send a copy of your own public key to your email contacts and keep the matching private key secret, only you will be able to read encrypted messages from those contacts. Enigmail also lets you attach digital signatures to your messages. The recipient of your message who has a genuine copy of your public key will be able to verify that the email comes from you, and that its content was not tampered with on the way. Similarly, if you have a correspondent's public key, you can verify the digital signatures on her messages.

How to Install Enigmail and GnuPG or How to Install GnuPG Installing GnuPG is quite straightforward, and resembles other software installations you may have performed. To begin installing GnuPG perform the following steps: Step 1. Double click to begin the installation process. The Open File to activate the following

Security Warning dialog box may appear. If it does, click screen:

GNU Privacy Guard Setup Wizard Step 2. Click to activate the GNU Privacy Guard Setup - License Agreement to activate the GNU Privacy

window; after you have completed reading it, click Guard Setup - Choose Components window.

Step 3. Click to accept the default settings and activate the GNU Privacy Guard Setup - Install Options - GnuPG Language Selection window.

Step 4. Click to accept en-English as the default language, and activate the Choose Install Location window.

Step 5. Click Menu Folder screen.

to accept the default installation path and activate the Choose Start

Step 6. Click begin unpacking and installing various GnuPG packages. After this process has completed itself, the Installation Complete screen will appear. Step 7. Click and then to complete installing the GnuPG program.

How to Install the Enigmail Add-on After you have successfully installed the GnuPG software you are now ready to install the Enigmail add-on. To begin installing Enigmail, perform the following steps: Step 1. Open Thunderbird, then Select Tools > Add-ons to activate the Add-ons window; the Add-ons window will appear with the default Get Add-ons pane enabled.

Step 2. Click

to activate the following screen:

The Add-ons window with the Extensions pane displayed Step 3. Click to activate the following screen:

The Select an extension to install

Step 4. Navigate to folder where you saved Enigmail to and click following screen:

to activate the

The Software Installation window Important: Before you perform this step, make sure all your online work has been saved! Step 7. Click to return to figure above, and then click the Enigmail add-on installation. to complete

To verify your installation of the Enigmail add-on was successful, return to the Thunderbird main user interface, and check if OpenPGP appears in the Thunderbird toolbar.

The Thunderbird toolbar with OpenPGP highlighted

How to confirm that Enigmail and GnuPG are working Before you can begin using Enigmail and GnuPG to authenticate and encrypt your emails, you must first ensure that they are both communicating with each other. Step 1. Select OpenPGP > Preferences to display the OpenPGP Preferences screen as follows:

The OpenPGP Preferences screen If GnuPG has been successfully installed, the will be visible in the Files and Directories section; otherwise, you may receive a pop-up alert resembling the following:

The OpenPGP Alert pop-up message Tip: If you have received this message, it may indicate that you have installed the file in the wrong location. Check the Override with option to enable the Browse... button, and then click to activate the Locate GnuPG program and manually navigate to location of the gpg.exe file on your computer. Step 2. Click to return to the Thunderbird console.

How to Generate Key Pairs and Configure Enigmail to Work with Your Email Accounts Once you have confirmed that Enigmail and GnuPG are working properly, you can configure one or more of your email accounts to use Enigmail to generate one or more private/public key pairs.

How to Use the OpenPGP Wizard to Generate a Key Pair Engimail provides two ways of for generating a private-public key pair; the first uses the OpenPGP Setup Wizard and the second uses the Key Management screen. To generate a key pair for the first time using the OpenPGP Setup Wizard, perform the following steps: Step 1. Select OpenPGP > Setup Wizard to open the OpenPGP Setup Wizard screen as follows:

The Welcome to the OpenPGP Setup Wizard screen Step 2. Click to activate the following screen:

The Select Identities screen Step 3. Click to activate the following screen:

The Signing - Digitally Sign Your Outgoing Emails screen Step 4. Click to activate the following screen:

The Encryption - Encrypt Your Outgoing Emails screen Step 5. Click to activate the following screen:

The Preferences - Change Your Email Settings to Make OpenPGP Work More Reliably.png screen

Step 6. Click

to activate the following screen:

The Preferences screen Note: In section How to Disable the HTML Feature in Thunderbird we briefly discussed how messages formatted in HTML can leave you open to attack from different kinds of viruses. The View message body as plain text option and Do not compose HTML messages options address that issue. Step 7. Click to return to the OpenPGP Setup Wizard, and then click activate the Create Key - Create A Key To Sign and Encrypt Email window. to

Note: The first time you attempt to create a key for an email account, none of your email accounts will appear in the drop-down list - yet. Step 8. Type a passphrase of at least 8 alphanumeric characters in length into both the Password

The Create Key - Create A Key To Sign and Encrypt Email window

Step 9. Click to confirm these settings and then click to return to the Create a Key screen; the name of your first email account will appear, resembling the following:

The Newly Created Account / User ID
Step 4. Click generating the key pairs. to activate the Summary screen, which basically reflects the settings used while

Note: Any key pair generated using OpenPGP Setup Wizard is automatically based on a 2048-bit structure, and has a lifespan of 5 years. Both these characteristics cannot be changed after the key pair has been generated using this method.

How to Generate Additional Key Pairs and Revocation Certificates for another Email Account It is standard practice to have a separate key pair for each email account. Follow the steps below if you want to generate additional key pairs for your other email accounts. Generating a key pair also involves generating a revocation certificate associated with that key pair. Send this certificate to your contacts to disable usage of your public key in case your private key is compromised or you lost access to it.

Step 1. Select OpenPGP > Key Management to activate the following screen:

The OpenPGP Key Management Generate menu with New Key Pair item selected

Note: Check the Display All Keys by Default to view the key pair generated by using the OpenPGP Setup Wizard for your first email account, as presented in figure above. Step 2. Select Generate > New Key Pair from the Key Management as displayed in figure above to activate the following screen:

The Generate OpenPGP Key screen Step 3. Select an email account from the Account / User ID drop-down list, check the Use generated key for the selected identity option. And create a passphrase to protect your private key. Note: As its name implies, a passphrase is simply a longer password. Enigmail is simply prompting you to enter a password that is longer and more secure than a conventional one. Important: Always generate key-pairs with a passphrase, and never enable the "no passphrase" option.

The Generate OpenPGP Key displaying the Key Expiry tab

Note: The length of time for which a key pair remains valid depends entirely on your privacy and security needs; the more frequently you change your key pairs, the more difficult it becomes for the new key pair to be compromised. However, every time you change key pair you will need to send it to your correspondents, and verify it with each of them. Step 5. Type in the appropriate number, and then select the desired unit of time (days, months or years) for which the key pair will remain valid. Step 6. Click to activate the following screen:

The OpenPGP Confirm dialog box Step 7. Click to activate the following screen:

The OpenPGP Prompt confirmation dialog box Step 8. Click window. to activate the Create & Save Revocation Certificate navigation

Note: If you know a hostile or malicious party has gained unauthorized access to your public key or you lost access to this key, you may send the revocation certificate to your contact to let them know that they should not use your matching public key. Keep in mind that you might need to do this if your computer is lost, stolen or confiscated. You are strongly advised to back up and protect your revocation certificate.

The OpenPGP Alert confirmation screen Step 9. Click to activate the following screen; then type in your passphrase associated with this account as follows:

The Please Type In Your OpenPGP passphrase to proceed with key pair generation

Step 10. Click to complete generating both a key pair and revocation certificate, and return to the following screen:

The OpenPGP Key Management window with the key pair displayed

Note: Check the Display All Keys by Default option to display all the key pairs and their associated accounts, if you are completely alone in a safe environment. After you have successfully generated both your key pair and its associated revocation certificate, you are now ready to exchange public keys with a trusted correspondent. How to Configure Enigmail for Use with Your Email Account To enable Enigmail for use with a specific email account, perform the following steps: Step 1. Select Tools > Account Settings. Step 2. Select the OpenPGP Security menu item in the sidebar as follows:

The Account Settings - OpenPGP Security screen

Step 3. Check the Enable OpenPGP support option and select the Use email address of this identity to identify OpenPGP key option as shown already. Step 4. Click to return to the Thunderbird console.

How to Exchange Public Keys Before you can begin sending encrypted email messages to one another, you and your correspondents must exchange public keys. You must also confirm the validity of any key you accept by confirming that it really belongs to its purported sender. How to Send a Public Key using Enigmail To send a public key using Enigmail/OPenPGP, both your correspondent and you will perform the following steps: Step 1. Open Thunderbird and then click to write a new message.

Step 2. Select the menu option OpenPGP > Attach My Public Key. Note: In this method the Attachments: pane is not displayed immediately; it will appear as soon as you send the message.If you would like to send a different public key select the menu option OpenPGP > Attach Public Key... and select the key you would like to send.

The Write message pane displaying the attached public key in the Attachments pane. Step 3. Click may be displayed: to send your email with your attached public key. The following screen

The OpenPGP Prompt screen for setting up the default encryption and signing mode Step 4. Check the Encrypt/sign message as a whole option, and then click your passphrase Step 5. Enter your passphrase, and then click to enter

to activate the following screen:

The OpenPGP Prompt - Do you want to encrypt the message before saving screen Step 6. Click to encrypt, sign and send your message.

How to Import a Public key using Enigmail Both your correspondent and you will perform the same steps when importing each other's public keys. Step 1. Select and open the email containing your correspondent's public key. If your correspondent's public key is embedded in the email, the Decrypt button will be enabled, and the following heading appears in your message pane:

Click Decrypt button to import public key block in message Step 2. Click to begin automatically scanning the content of the received message for any encrypted data. After the Enigmail/OpenPGP tool detects a message containing a public key, it will prompt you to import the key as follows:

The OpenPGP Confirm Import public key(s) embedded in message? Step 3. Click to import your correspondent's public key.

If you have successfully imported the public key, a message resembling the following will appear:

The OpenPGP Alert screen displaying your correspondent's public key To confirm that you have received your correspondent's public key, perform the following step: Step 1. Select OpenPGP > Key Management to display the OpenPGP Key Management screen as follows:

The OpenPGP - Key Management displaying a recently imported public key

How to Validate and Sign a Key Pair Finally, you must verify that the imported key truly belongs to the person who purportedly sent it, then confirm its 'validity.' This is an important step that both you and your email contacts should follow for each public key that you receive. How to Validate a Key Pair Step 1. Contact your correspondent through some means of communication other than email. You can use a telephone, text messages, Voice over Internet Protocol (VoIP) or any other method, but you must be absolutely certain that you are really talking to the right person. As a result, telephone conversations and face-to-face meetings work best, if they are convenient and if they can be arranged safely. Step 2. Both you and your correspondent should verify the 'fingerprints' of the public keys that you have exchanged. A fingerprint is a unique series of numbers and letters that identifies each key. You can use the OpenPGP Key Management screen to view the fingerprint of key pairs you have created and public keys you have imported. To view the fingerprint of a particular key pair, perform the following steps: Step 1. Select > OpenPGP > Key Management and then right-click on a particular key to activate the pop-up menu:

The OpenPGP Key Management menu with the Key Properties item selected Step 2. Select the Key Properties item to activate the following screen:

The Key Properties screen Your correspondent should repeat these steps. Confirm with each other that the fingerprint for the key each of you have exchanged matches the sender's original. If they don't match, exchange your public keys again and repeat the validation process. Note: The fingerprint itself is not a secret and can be recorded for later verification at your convenience.

How to Sign a Valid Public Key After you have established that a given correspondent's key is an exact match, you must sign it, to confirm that you consider this key valid. To sign a properly validated public key, perform the following steps: Step 1. Click to return to the Key Management screen.

Step 2. Right-click your correspondent's public key and select the Sign Key item from the menu to activate the following screen:

The OpenPGP - Sign Key screen Step 3. Check the I have done very careful checking option, and then click to complete signing your correspondent's public key, complete the validation process, and return to the OpenPGP Key Management window as follows:

The OpenPGP Key Management displaying validated key pairs

How to Manage Your Key Pairs The OpenPGP Key Management window is used to generate, validate and sign different key pairs. However, you may also perform other tasks by related to key management among them:
  

Change Passphrase: This item lets you change the passphrase protecting your key pair. Manage User IDs: This item lets you associate more than one email address to a single key pair. Generate & Save Revocation Certificate: This lets you generate a new revocation certificate, if you have lost or misplaced the one you created earlier.

How to Encrypt and Decrypt Email Messages Important: The header of any email message - that is its Subject and intended recipients (including any information in the To, CC and BCC fields) - cannot be encrypted and will be sent in open text. To ensure the privacy and security of your email exchanges, the subject or title of your email should be kept non-descriptive not to reveal sensitive information. In addition, you are strongly advised to put all addresses in the BCC field when sending emails to a group of people. When encrypting email messages with attachments, we strongly recommend using the PGP/MIME option, as this will extend encryption to include any files attached to your email.

How to Encrypt a Message
Once both you and your correspondent have successfully imported and validated and signed each other's public keys, you are ready to begin sending encrypted messages and decrypting received ones. To encrypt the contents of you email message to your correspondent, perform the following steps: Step 1. Open your email account and click Step 2. Click to write an email.

to activate the following screen:

The OpenPGP Encryption pop-up window

Note: If you checked the Encrypt/sign message as a whole option and send it using PGP/MIME in figure “The OpenPGP Prompt screen for setting up the default encryption and signing mode “as recommended, figure “The Key Properties screen” will not appear. Step 3. Check both the Sign Message and Encrypt Message options as shown above and then click to complete signing and encrypting the content of your email.

Note: To verify that your message will be both encrypted and signed, check that the following two icons appear at the bottom right corner of the message pane as follows: The Message Signing and Encryption Confirmation icons Step 4. Click to send the message. You will be prompted for password to use your private key to sign the message.

How to Decrypt a Message
When you receive and open an encrypted message, Enigmail/OpenPGP will automatically attempt to decrypt it an encrypted message when you receive and open it. This will activate the following screen:

The OpenPGP Prompt - Please type in your OpenPGP passphrase or your SmartCard PIN Step 1. Enter your passphrase. After you have entered your private key passphrase, the message is decrypted and displayed as follows:

The newly decrypted message in the message pane. You have now successfully decrypted this message. By repeating the steps described in section 4.5 How to Encrypt and Decrypt Email Messages every time you and your correspondent exchange messages, you can maintain a private, authenticated channel of communication, regardless of who might be attempting to monitor your email exchanges.

Install Gpg4win
Gpg4win is the recommended OpenPGP implementation for windows. It is Free Software, licensed under the GPL, with the source code available for modification or scrutiny. 1. Download Gpg4win from here 2. Double click the executable and begin the installation. 3. Select the language you’ll be using. 4. You’ll be greeted by the welcome screen. Press Next to continue.

5. Next, you’ll be asked to agree to the GNU General Public License (the GPL license); which can be read in its entirety at . If you accept, press Next. 6. Choose the components you want to install. The default options are recommended. Claws-Mail is a powerful cross-platform email client available for Linux, Windows, Mac OS X, and others. GpgOL installs the plugin necessary to use OpenPGP keys with the Outlook mail client.

7. Select the install folder (the default is recommended). 8. Choose what shortcuts to create.

9. Choose a name for any shortcut folders and then begin the installation. Choose to view the README file, or not, and then click finish. Gpg4win is now installed and ready to use!

Create and Export an OpenPGP Public/Private Key pair
Kleopatra seems to be the more recent and more polished of the two Gpg4win key manager GUI frontends on Windows, so this guide recommends using that. 1. Launch Kleopatra by the shortcut you installed (default: Start → All Programs → Gpg4win → Kleopatra) 2. Click File → New Certificate… or Ctrl+N. 3. Press the Create a personal OpenPGP key pair button. 4. Enter your name, email address, and a comment if you wish. Your name and email address can be anything you want, not necessarily your real name or email address. If you want to use your OpenPGP key for encrypting email, put the email address you want to use with encryption in the “Email address” box. When finished, click the Advanced Settings… button.

5. In the Advanced Settings… dialog box, choose your key type and key strength. RSA, using key strength of 3,072 bits (appears to be the maximum supported), for Signing and Encryption are recommended. When finished with the key settings, press OK to close the dialog box, and then click Next. 6. Review the information for the key, then press the Create Key button.

7. Enter a strong password that you can remember. The password strength meter will give you a relative indication of how strong the password is. Getting 100% is strongly recommended. If you forget this password, it cannot be recovered and any encrypted data you have using it, including emails, will be permanently inaccessible. Your key pair is now finished! From here, you can do one of the following:
   

Make a backup copy of your certificate (key) Send the Certificate by email Upload the certificate to a Directory Service (key server) finish the wizard

It is recommended to upload the certificate to a directory service. This will upload your public key to a key server where it can be used by others to encrypt data and emails that only you can decrypt. Find or Import someone else’s OpenPGP Public Key If you want to be able to communicate with someone securely or encrypt data that only they can read, you need to import their public key into your keyring first. Import from a key file If someone exports their key to a file and sends it to you, you can import it into your keyring via Kleopatra by: 1. Pressing the Import Certificates button, then 2. Locating where you saved the key file, selecting it, and pressing the Open button. The key that was stored in the key file has now been imported into your keyring! Find on the key servers 1. Navigate to File → Lookup Certificates on Server… in Kleopatra 2. Type some key words (a name or alias) to search the key servers. The best way to find someone is to search for their email address, as it’s uniquely tied to them. 3. Select and review the keys that are returned to determine whether the key(s) returned belong to the person you’re looking for. You can review additional information about the key by pressing the Details… button. 4. Once you’ve determined and selected the key(s) you want to import into your local keyring, press Import. Their public key has now been imported into your keyring! Be sure to Sign it to make it ready to use.

Sign their key (Certify their Certificate) Before you can use the other person’s public key to encrypt data or send emails to them, you have to sign their key with your key. To do this, 1. 2. 3. 4. Click the Imported Certificates or Other Certificates tab. Right click the key you want to sign and click Certify Certificate… Select the user ID you want to certify and press Next Choose whether you want this certification to be visible to others or only to yourself and then press the Certify button.

You have now signed their key (certified their certificate) and are ready to begin encrypting data or emails that only they can decrypt!

Installing PGP on Ubuntu
We will use the Ubuntu Software Centre for installing PGP (Enigmail and accessories). First open the Ubuntu Software Center through Applications -> Ubuntu Software Center:

Type into the search field 'Enigmail' and search results should be returned automatically:

Highlight the Enigmail item (it should be highlighted by default) and click 'Install' and you will be asked to authenticate the installation process.

Enter your password and click 'Authenticate'. The installation process will begin.

When the process is completed you get very little feedback from Ubuntu. The progress bar at the top left disappears. The 'In Progress' text on the right also disappears. Enigmail should now be installed.

Creating your PGP keys
You are now ready to start encryption your mails with PGP. You can do this by using Enigmail within Thunderbird. Enigmail comes with a nice wizard to help you with the initial setup and the important aspect of creating a public/private key pair (see the chapter introducing PGP for an explanation). You can start the wizard at any time within Thunderbird by selecting OpenPGP > Setup Wizard from the menu on top. Step 1. This is what the wizard looks like. Please read the text on every window carefully. It provides useful information and helps you setup PGP to your personal preferences. In the first screen, click on Next to start the configuration.

Step 2. The wizard asks you whether you want to sign all your outgoing mail messages. If you do not chose to sign all your messages, you will have to specify per recipient if you want to sign your e-mail. Signing all your messages is a good choice. Click on the 'Next' button after you have made a decision.

Step 3. On the following screen, the wizard asks you whether you want to encrypt all your outgoing mail messages. Unlike signing of mails, encryption requires the recipient to have PGP

software installed. Therefore you should answer 'no' to this question, to make sure you can still send normal mails. Only answer 'yes' here if you want to prevent Thunderbird from ever sending unencrypted mails. After you have made your decision, click on the 'Next' button.

Step 4: On the following screen the wizard asks if he can change some of your mail formatting settings to better work with PGP. It is a good choice to answer 'Yes' here. The only serious thing is that it will prevent you from doing is sending HTML mail messages. Click on the 'Next' button after you have made your decision.

Step 5: Now it is time to start creating the keys. In the following screen you can select one of your mail accounts, or the default one is selected for you if you have only one mail account. In the 'Passphrase' text box you have to give a password. This is a new password which is used to protect your private key. It is very important both to remember this password, because you cannot read your own encrypted emails any more when you lose it, and to make it a strong password. It should be at least 8 characters long, not contain any dictionary words and it should preferably be a unique password. Using the same password for multiple purposes severely increases the chance of it being intercepted at some point. After you have selected your account and created a passphrase, click on the 'Next' button.

Step 6: In the following screen the wizard basically wraps up what actions it will take to enable PGP encryption for your account. If you are satisfied with the options you chose in the previous windows, click on the 'Next' button

Step 7: Your keys are being created by the wizard. Have some patience. The progress bar should slowly fill up to the right. The wizard will tell you when the keys have been successfully created, then you can click on the 'Next' button again.

Step 8: You now have your own PGP key-pair. The wizard will ask you if you also want to create a special file, called a 'Revocation certificate'. This file allows you to inform others that your key-pair should no longer be considered valid. Think of it as a 'kill switch' for your PGP identity. You can use this certificate in case you have generated a new set of keys, or in case your old key-pair has been compromised. It is a good idea to create the file and keep it somewhere in a safe place. Click on the 'Generate Certificate' button if you want to create the file, otherwise 'Skip'.

Step 9: Assuming you have decided to generate a revocation certificate, the wizard will ask you where the file should be saved. The dialog may appear a bit different on your particular operating system. It is a good idea to rename the file to something sensible like my_revocation_certificate. Click on 'Save' when you you have decided on a location.

Step 10: Assuming you have decided to generate a revocation certificate, the wizard informs you it has been successfully stored.

Step 11: The wizard will inform you it has completed its setup.

Congratulations, you now have a fully PGP-configured mail client. In the next chapter we will explain how to manage your keys, sign messages and do encryption. Thunderbird can help you do a lot of these things automatically.

Setup OpenPGP Rules in brief for Ubuntu
In Thunderbird, the Enigmail extension provides the ability for you to setup rules which Thunderbird will use to automate who will or will not receive encrypted emails from you. The rule system is pretty powerful and can create a wide array of possible options. This guide will create a rule to always send encrypted email to a specific email address (or multiple email addresses) and operates under the assumption that your emails are unencrypted by default. However, the rule system appears to be powerful enough that if the majority of your contacts use OpenPGP encryption, you can encrypt by default and create a rule that sends unencrypted emails to contacts you have that don’t support encryption. 1. Navigate to OpenPGP → Edit Per-Recipient Rules 2. Click the Add button on the upper right. 3. Enter the email address(es) at the top, separated by spaces if matching multiple email addresses, and is exactly if matching exact addresses or enter matching terms and choose the appropriate matching method. The available matching methods are: is exactly, Contains, Starts with, and Ends with 4. Choose the Action to be applied upon matching the rule. For this example, choose Use the following OpenPGP keys: and press the Select Key(s)… button. In the box that pops up from that button, select the OpenPGP key for the person to whom you’re sending email. If you don’t have their public key, press the Download missing keys button, which will search the key servers for the email(s) you entered in the matching box. 5. Change Encryption in the Defaults for … section to Always and leave Signing and PGP/MIME as Yes, if selected in Message Composition. 6. Press the OK button when you’ve completed the configuration of the rule.

You are now ready to send OpenPGP (GPG) emails to any recipient via Thunderbird and to automatically enable encryption for the chosen recipient in the rule you just created.

Add some extensions
We suggest these extensions for Thunderbird:

Display Quota: This extension will display the current status of your IMAP quota in thunderbird’s status bar and will warn you when you reach a configurable limit.

- It will only work if your mail server has an IMAP quota set: right click on your inbox, and then in the "quota" tab of the properties, if a quota appears, you're good How to Install in Thunderbird 1. Download and save the file to your hard disk. 2. In Mozilla Thunderbird, open Add-ons from the Tools menu. 3. Click the Install button, and locate/select the file you downloaded and click "OK."

Enigmail: get started in no time encrypting and decrypting emails and verifying that emails you receive are from the people who you expect them to be

Using GNOME’s GUI frontend: Seahorse
What is Seahorse? Seahorse is a GUI tool for creating and managing OpenPGP keys, securely storing passwords, and creating and managing SSH certificates. It uses GPG as the back-end OpenPGP implementation. Create and Export an OpenPGP Public/Private Key pair 1. Launch Seahorse by a menu entry (Applications → Accessories → Passwords and Encryption Keys, on Ubuntu 10.04), or by pressing ALT+F2 and typing: seahorse Then hit enter.
2. Navigate to File → New…

3. Select PGP Key

4. Enter your personal information; select your key encryption type, key strength, and when

you want your key to expire. Your name and email address can be anything you want, not necessarily your real name or email address. If you want to use your OpenPGP key for encrypting email, put the email address you want to use with encryption in the “Email

Addresss” box. Either RSA or DSA Elgamal will be fine for the encryption type—RSA is newer, though it may take longer to generate keys initially. For key strength, use the strongest available—4096 bits, at the time of writing.

5. Enter a strong password that you can remember. If you forget this password, it cannot

be recovered and any encrypted data you have using it, including emails, will be permanently inaccessible.

6. The computer will now generate the key, which may take a long time. After this, you will have an OpenPGP key pair that is ready to be used—Great! You can manage the key options, export the public key, change the password, delete and/or revoke the key, and perform other key adjustments through the Seahorse user interface. 7. Optional: At this point, you can publish your public key to a key server where people can request it remotely to be able to send encrypted data and emails to you. To do this, do: 1. Select the Key(s) you want to publish. Hold Ctrl and click to select more than one, or press Ctrl+A to select all keys. 2. Navigate to Remote → Sync and Publish Keys…

3. Press the Key Servers button. 4. Publish the keys to any key server (select one if the “Sync” button was grayed out in the previous screen); they all synchronize with each other, so your key will be on each one. 5. Recommended: check the Automatically retrieve keys from key servers and Automatically synchronize modified keys with key servers check boxes. 6. Press the Close button and then the Sync button to synchronize your keys. Your public key is now published to the key servers and is accessible to others!

Find or Import someone else’s OpenPGP Public Key If you want to be able to communicate with someone securely or encrypt data that only they can read, you need to import their public key into your keyring first. Note: The John Q. Alias key is used as an example key for generating a key above and also for importing a key below; in the case of importing, it is used to refer to the person for whom you’re searching, not yourself. Import from a key file If someone exports their key to a file and sends it to you, you can import it into your keyring via Seahorse by: 1. Navigating to File → Import… then 2. Locating where you saved the key file, selecting it, and pressing the Open button. The key that was stored in the key file has now been imported into your keyring!

Find on the key servers
1. Navigate to Remote → Find Remote Keys… in Seahorse

2. Type some key words (a name or alias) to search the key servers. The best way to find someone is to search for their email address, as it’s uniquely tied to them. 3. Select and review the keys that are returned to determine whether the key(s) returned belong to the person you’re looking for. You can review additional information about the key by pressing the Properties button.

4. Once you’ve determined and selected the key(s) you want to import into your local keyring, press Import. Their public key has now been imported into your keyring! Be sure to Sign it to make it ready to use.

Sign their key Before you can use the other person’s public key to encrypt data or send emails to them, you have to sign their key with your key. To do this,

1. Return to the main window of Seahorse and go to the Other Keys tab. 2. Select the key you want to sign and press the Properties button.

3. Select the Trust tab and press the Sign this key button.

4. Sign the key, indicating how carefully you’ve checked the key. Selecting Not at all still

allows you to use the key for email and data. You can also opt to be able to revoke your signature later or make it so that only you can see that you’ve signed the key.

5. Press Sign. You can now begin encrypting data that can only be decrypted by the key owner and establish a secure communication line between you and the key owner!

Using the Linux command line This is based on the Ubuntu GPG Howto: Generate an OpenPGP Key pair using GPG 1. Press Alt+F2 and type gnome-terminal And press enter 2. In the terminal, type: gpg --cert-digest-algo=SHA256 --default-preference-list="h10 h8 h9 h11 s9 s8 s7 s3 z2 z3 z1 z0" --gen-key

It should return a menu similar to this: Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) 3. Select the type of key you want. RSA and RSA is the recommended type. (Sign only) keys cannot be used for encryption. 4. Next, enter the key size you want. What keysize do you want? (2048) 4096 is recommended. 5. Then enter the length of time that you would like the key valid for and then press y to confirm the expiration date. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) If you select 0, the key does not expire and will require to be revoked when you no longer wish to use it. 6. Enter your name, email address, and a comment if you wish. Your name and email address can be anything you want, not necessarily your real name or email address. If you want to use your OpenPGP key for encrypting email, put the email address you want to use with encryption in the “Email address” prompt. You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <>" Real name: John Q. Alias Email address: the-email-youre-going-to-use@whatever.tld Comment: 7. Now enter a strong password that you can remember. If you forget this password, it cannot be recovered and any encrypted data you have using it, including emails, will be permanently inaccessible. Hit enter when complete to begin generating the key.

Your OpenPGP public/private key pair has been generated!

List your keys You can use this command to list your keys gpg --list-keys This should output data in a format like this: /home/foobar/.gnupg/pubring.gpg ------------------------------pub 3072D/1C72CE6B 2010-07-17 uid John Q. Alias <the-email-youre-going-to-use@wherever.tld> sub 4096g/D8F18B5F 2010-07-17 pub 3072D/0B6137AD 2010-07-24 uid James <> sub 4096g/91BFCB7F 2010-07-24

Any reference to your KEY-ID below can be found using the first command and looking at the output. The line you’re looking at to find the KEY-ID is the pub line of each of the entries). The line contains pub, the key strength and type abbreviation (3072D in the first line), a slash, the KEY-ID, and then the date. The codebox below highlights the KEY-ID: pub 3072D/1C72CE6B 2010-07-17 ^KEY-ID^ uid John Q. Alias <the-email-youre-going-to-use@wherever.tld> sub 4096g/D8F18B5F 2010-07-17 So for this example, the KEY-ID would be 1C72CE6B. Using this information, you can now do all of the following and make use of the key pair you generated.

Export/Publish your public OpenPGP Key 1. Press Alt+F2 and run: gnome-terminal

2. Create an ASCII armored version of your public key for exporting by typing: gpg --export -a KEY-ID > mykey.asc You’ve just exported your ASCII armored OpenPGP public key to the file mykey.asc in the folder you were in (your home directory, if you opened a new terminal). Now you can send the key to whomever you want to be able to encrypt files to you.

Publish your OpenPGP public key to the Ubuntu Key server At this point, you can publish your public key to a key server where people can request it remotely to be able to send encrypted data and emails to you.

1. Press Alt+F2 and run: gnome-terminal 2. type gpg --send-keys --keyserver KEY-ID Where KEY-ID is the ID number of the key you wish to publish on the key servers. This example uses the Ubuntu key server; however any key server will work as they all synchronize their keys.

Using PGP on Mac OS X
It is not recommended to use Mac OS X as a secure communication platform. While there are fewer exploits and a better security model than windows, OS X has demonstrated a poor security patch speed in the past and has a large quantity of proprietary software and packaging, making it not capable of scrutiny for effects, back doors, or anything that “phones home”. Furthermore, it offers features that can be exploited by hackers or abused by governments or corporations. Some bullet points about OS X security:
  

Relies on a lot of proprietary software that can’t be modified or scrutinized by you The webcam can be remotely turned on, offered as a “feature” if the laptop gets stolen, which could be abused or exploited to violate your privacy. Filesystem not encrypted by default and the primary tool available may have inadequate security.see this link to find more information :

If you would like to use OpenPGP with Apple Mail: 1. Download the latest version of GNU Privacy Guard: for your version of MacOS. 2. Mount the GnuPG Mac OS X disk image and run the .mpkg installer. 3. Download the latest version of GPGKeys from the link above. 4. Decompress the .tar.gz and drag the GPGKeys file to your Applications folder. 5. Run GPGKeys from the Key menu, select Generate; a Terminal window will open. You can select the default options for each choice unless you know what you’re doing. When prompted, enter your real name, email address, and comment (handle). Once the key is generated you can quit Terminal. 6. Download the Sen:te PGP plug-in for Mail: 7. Run the Install GPGMail script. 8. Open Mail. Everything should be working now. When composing a new message you’ll see a new checkbox that lets you choose your key and sign your message. When receiving a signed message you’ll be able to verify it. For more information, follow the instruction below

Using GnuPG encryption with Mac OS X Mail
Using email encryption is one way to protect the privacy of your electronic correspondence. For a brief history and explanation of how they work: PGP and GnuPG. I cannot make any sort of guarantee as to the efficacy of these programs, though I know that the NSA and the Federal Government fought the implementation and free dissemination of PGP for years. Better to have it and not need it than to need it and not have it. First, you will need to browse to the Mac GnuPG site ( or and download gpg tools. GPGTools is an initiative to bring GPG to Apple OS X. it provides both an all-in-one installer for all necessary software components and a home for OpenPGP related software for the Mac. Although most of components require having a working GnuPG installation, all projects are independent from each other. Using the GPGTools Installer just assures that all components (and their versions and configurations) are compatible to each other. So you can choose which components to install or uninstall separately. To update your version simply run the installer and it will update all the components included. All applications (besides GPGMail) are compatible with OS X Lion. GnuPG comes in two flavors: version 1 is the well known and portable standalone version, whereas version 2 is the enhanced variant. If you are uncertain install MacGPG2. or directly from here: Now begin your own installation with me.Download the software by choosing 'Save File' and clicking 'OK' in the dialogue

Navigate to the folder where you normally store your downloads (Mostly the desktop or the downloads folder surprisingly) en double click the '.DMG' file to open the virtual disk containing the installer. Open the installer by double-clicking on the icon.

The program will check your computer to see if it can run on the computer. (Note, if you're Mac is bought before 2006 it will not have an intel processor required to run this software and the installation will fail. Sadly it is beyond the scope of this manual to also take into account computers over five year old)

You will be guided by the program through the next steps like accepting the license agreement. But stop pressing all the OK's and Agrees as soon as you come to the 'Installation Type' screen:

Clicking 'Customize' will open this screen where you several options of programs and software to install. You can click on each one of them to get a little bit of information on what is, what it does and why you might need it.

we advice against using Apple Mail in combination with PGP. Therefore you won't be needing 'GPGMail', as this enables PGP on Apple Mail, and you can uncheck it. 'Enigmail' on the other hand is very important as it is the component that will enable Thunderbird to use PGP. In the screen shot here it is grayed out as the installer wasn't able to identify my installation of Thunderbird. Since this seems to be a bug. You can also install Enigmail from within Thunderbird as is explained in another chapter. If the option is not grayed out in your installation, you should tick it. After you checked all the components you want to install click 'Install' to proceed. The installer will ask you for your password and after you enter that the installation will run and complete;

Installing up Enigmail
Step 1. Open Thunderbird, then Select Tools > Add-ons to activate the Add-ons window; the Add-ons window will appear with the default Get Add-ons pane enabled. In the Add-On window, you can search for 'Enigmail' and install the extension by clicking 'Add to Thunderbird ...' After you open the Add-On window, you can search for 'Enigmail' and install the extension by clicking 'Add to Thunderbird ...'

Click on 'Install Now' to download and install the extension.

Be aware that you will have to restart Thunderbird to use the functionality of this extension! Now that you have successfully downloaded and installed Enigmail and PGP you can go on to the Chapter that deals with setting up the software for use.

Getting Started
Once started, Mail has a new submenu, PGP, in its Message menu, containing the following items:
   

   

Decrypt Authenticate Encrypt New Message Encryption Keys o Use Passphrase Encryption o Automatic Choice o Choose... o (list of public keys) Sign New Message Signing Keys o (list of secret keys) Force Use of PGP-MIME Refresh Keys

There is also a new submenu, PGP Keys, in menu View, allowing you to choose on-the-fly which attributes must be displayed for keys. Finally, in menu Window, a new item PGP Key Search displays a PGP key search panel when clicked. Mail also has a new Preferences panel GPGMail in which you can:
 

Choose your default PGP key Choose when to encrypt/sign/decrypt/verify, etc.

When composing a new message, some new options appear in the composer window:

They allow you to choose which key you want to sign with, and which keys have to be used for encryption, when enabled. By default, GPGMail will try to find out by itself which keys are needed for encryption, according to the recipients email addresses; keys are listed in the Keys popdown button. In case it misses some keys, a warning icon will be displayed next to the popdown button. At that time you can ask GPGMail to search for missing keys on key servers. using menu item Download... in popdown menu.

In the Composer window, you can also add two toolbar items (by customizing the toolbar) to set the encryption (on/off) and add or not your PGP signature; you can also use menu items** PGP/Encrypt New Message** and PGP/Sign New Message. When you compose a new message, you can sign it (you will be asked for your key passphrase), and/or you can encrypt it. Note that encryption/signature is always applied on the whole message.

GPGMail can use two different formats for encryption/signature: if your message consists only of plain text (no attachments, no rich text attributes like bold, italic, etc.), GPGMail will use the old PGP format, with inline ASCII-armored signature/encryption. In the other case, it will use the new OpenPGP/MIME format, with MIME attachments, which is not recognized by some mail agents like Outlook/Entourage/Eudora, but welcomed by Sylpheed, Mulberry and others. If you prefer GPGMail to always use the OpenPGP/MIME format, then you can set it in preferences, or using menu item Message/PGP/Force Use of PGP-MIME. When you browse through messages, GPGMail can operate automatically, or on-demand. In automatic mode, it tries to authenticate or decrypt the currently selected message; in manual mode, you click on a button/menu to decrypt or authenticate the currently selected message; you can also use the contextual menu. After authenticating a message, the signature information is displayed, in short or long form.

If you allow passphrase cacheing, passphrase is either stored in cache during a small amount of time (default is 60 seconds) - if it has not been used during this time, cache is cleared -, or stored in your default keychain. Please note an important setting: If you want to be able to decrypt the mails you have sent to your friends on your own system, you need to have "By default, use my public key also for encryption" activated. This can be found under > Settings > OpenPGP > Create. If this is inactive, the mails will only be encrypted with your friend’s public key and thus can only be decrypted by him (since he is the only one with access to the corresponding private key). That means you can't later decrypt those mails yourself. This option is active by default and we recommend leaving it like this since it serves most user scenarios the best. You can't see secret key in Try to run the GPGTools or MacGPG2 installer. This issue can occur when the file ~/.gnupg/gpg.conf is broken. You can test it by running 'if ( gpg2 --gpgconf-test ) ; then echo "fine"; else echo "broken"; fi'. Both GPGTools or GPGMail installer will update the bundle automatically. You can also use the GPG Preferences Pane to fix the current version or wait with the compatible update in future. GPGMail doesn’t run under OS X Lion 10.7 at the moment and older version of GPGMail is available from

EMAIL SECURITY ON ANDROID With the growing usage of mobile phones for e-mail, it's interesting to be able to use PGP also on your mobile. This way you can still read the messages send to you in PGP on your phone and not only on your computer. PGP ON ANDROID: APG PGP on mobile phones is very new - currently there are not many tools available for Android phones to use PGP. It’s a pity there are not more options and easier software to configure and install, however if you do set it up then the same rules apply for using PGP on Android as normal PGP usage as described in the PGP/Secure emailing chapter. For Android you need at least the APG application. This is a small tool which makes PGP encryption possible on the phone. You can use APG to manage your private and public. The options in the application are quite straightforward if you are a little convenient with PGP in general. Management of keys is not very well implementing yet. The best way is to manually copy all your public keys to the SD card in the APG folder. Then it's easy to import your keys. After you've imported your public and private keys, PGP encrypting, signing and decrypting will be available for other applications as long as these applications have integrated encryption/PGP. PGP ENABLED E-MAIL ON ANDROID: K-9 MAIL The default mail application does not support PGP. Luckily there is an excellent alternative: K-9 Mail. This application is based on the original Android mail application but with some improvements. The application can use APG as its PGP provider. Setting up K-9 Mail is straightforward and similar to setting up mail in the Android Default mail application. In the settings menu there is an option to enable "Cryptography" for PGP mail signing. If you want to access your PGP mails on your phone this application is a must have. Please note, due some small bugs in K-9 Mail and/or APG, it's very advisable to disable HTML mail and only Plain text. As HTML mails are not encrypted nicely and are often not readable.

Daily PGP usage
In the previous chapters we have have explained how to set up a secure mail environment using Thunderbird, PGP and Enigmail. We assume you have installed the software and have successfully followed the wizard instructions to generate an encryption key-pair as described in the previous chapters. Now we will describe how to use your secured Thunderbird in daily life to protect your e-mail communication. In particular we will focus on:

1. Encrypting Attachments 2. Entering your pass-phrase 3. Receiving Encrypted Email 4. Sending and receiving public keys 5. Receiving public keys and adding them to your key ring 6. Using public key servers 7. Signing e-mails to an individual 8. Sending encrypted e-mails to an individual 9. Automating encryption to certain recipients 10. Verifying incoming e-mails 11. Revoking your PGP key pair 12. What to do when you have lost your secret key, or forgot your passphrase 13. What to do when your secret key has been stolen, or compromised 14. Backing up your keys First we shall explain two dialog windows that will inevitably appear after you start using Thunderbird to encrypt your emails.

Encrypting attachments
The dialog window below will pop-up whenever you are sending an encrypted email with attachments for the first time. Thunderbird asks a technical question on how to encrypt attachments to your mail. The second (default) option is the best choice, because it combines security with the highest compatibility. You should also select the 'Use the selected method for all future attachments' option. Then click 'OK' and your mail should be sent with no further delay.

Entering your pass-phrase
For security reasons, the pass-phrase to your secret key is stored temporarily in memory. Every now and then the dialog window below will pop-up. Thunderbird asks you for the pass-phrase to your secret key. This should be different from your normal email password. It was the passphrase you have entered when creating your key-pair in the previous chapter. Enter the passphrase in the text-box and click on 'OK'

Receiving encrypted mails
The decryption of emails is handled automatically by Enigmail, the only action that may be needed on your behalf is to enter the pass-phrase to your secret key. However, in order to have any kind of encrypted correspondence with somebody, you will first need to exchange public keys.

Sending and receiving public keys
There are multiple ways to distribute your public key to friends or colleagues. By far the simplest way is to attach the key to a mail. In order for your friend to be able to trust that the message actually came from you, you should inform them in person (if possible) and also require them to reply to your mail. This should at least prevent easy forgeries. You have to decide for yourself what level of validation is necessary. This is also true when receiving emails from third-parties containing public keys. Contact your correspondent through some means of communication other than e-mail. You can use a telephone, text messages, Voice over Internet Protocol (VoIP) or any other method, but you must be absolutely certain that you are really talking to the right person. As a result, telephone conversations and face-to-face meetings work best, if they are convenient and if they can be arranged safely. Sending your public key is easy. 1. In Thunderbird, click on the icon.

2. Compose a mail to your friend or colleague and tell them you are sending them your PGP public key. If your friend does not know what that means, you may have to explain them and point them to this documentation. 3. Before actually sending the mail, click to OpenPGP > Attach My Public Key option on the menu bar of the mail compose window. Next to this option a marked sign the example below. will appear. See

4. Send your mail by clicking on the


Receiving public keys and adding them to your keyring
Let’s say we receive a public key from a friend by mail. The key will show up in Thunderbird as an attached file. Scroll down the message and below you will find tabs with one or two file names. The extension of this public key file will be .asc, different from the extension of an attached PGP signature, which ends with .asc.sig Look at the example email in the next image, which is a received, signed PGP message containing an attached public key. We notice a yellow bar with a warning message: 'OpenPGP: Unverified signature, click on 'Details' button for more information'. Thunderbird warns us that the sender is not known yet, which is correct. This will change once we have accepted the public key. What are all those strange characters doing in the mail message? Because Thunderbird does not recognize the signature as valid, it prints out the entire raw signature, just as it has received it.

This is how digitally signed PGP messages will appear to those recipients who do not have your public key. The most important thing in this example is to find the attached PGP public key. We mentioned it is a file that ends with an .asc. In this example it's the first attachment on the left, which is in the red circle. Double-clicking on this attachment would make Thunderbird recognize the key.

In the example image above, we should double-click on the attached .asc file to import the PGP public key. After we have clicked on the attachment, the following pop-up will appear.

Thunderbird has recognized the PGP public key file. Click on 'Import' to add this key to your keyring. The following pop-up should appear. Thunderbird says the operation was successful. Click on 'OK' and you are done. You now have the ability to send this friend encrypted messages.

We are back in the main Thunderbird screen and we refresh the view on this particular example message, by clicking on some other message and back for example. Now the body of the message looks different (see below). This time Thunderbird does recognize the signature, because we have added the public key of the sender.

There is still one that remains. While Thunderbird now recognizes the signature, we should explicitly trust that the public key really belongs to the sender in real life. We realize this when we take a closer look at the green bar (see below). While the signature is good, it is still UNTRUSTED.

We will now decide to trust this particular public key and the signatures made by it. We can do this immediately by clicking on 'Details'. A small menu will appear (see below). From this menu we should click on the option 'Sign Sender's Key ...’

After we have selected 'Sign Sender's Key ...' we will get another selection window (see below). We are requested to state how carefully we have checked this key. The explanation of levels of trust and trust networks in PGP falls outside the scope of this document. We will not use this information; therefore we will just select the option 'I will not answer'. Also select the option 'Local signature (cannot be exported)'. Click on the 'OK' button to finishing signing this key. This finishes accepting the public key.

Using public key servers
Another method of distributing public keys is by putting them on a public key server. This allows anyone to check whether your email address has PGP support, and then download your public key. To put your own key on a keyserver, take the following steps. 1. Head to the key manager by using the Thunderbird menu and click on OpenPGP > Key Management

2. The key management window will be displayed and looks like this:

3. You need to have selected the 'Display All Keys by Default' option to get a list of all your keys. Lookup your own email addresses in the list and right click on the address. A selection window will appear with some options. Select the option 'Upload Public Keys to Keyserver'.

4. You will see a small dialog window like below. The default server to distribute your keys to is good. Press 'OK" and distribute your public key to the world.

To look up whether some email address has a public key available on a server, take the following steps. 1. Head to the key manager by using the Thunderbird menu and click on OpenPGP > Key Management 2. In the key manager window menu bar, select Keyserver > Search for Keys

3. In this example we will look-up up the key for the creator of PGP software, Philip Zimmermann. After we have entered the email address, we click on 'OK'.

4. The next window displays the result of our search. We have found the public key. It is automatically selected. Just click on 'OK' to import the key.

5. Importing the key will take some time. On completion you should see a pop-up window like below.

6. The final step is to locally sign this key, to indicate that we trust it. When you are back in the key manager, make sure you have selected the 'Display All Keys by Default' option. You should now see the newly imported key in the list. Right-click on the address and select the option 'Sign Key' from the list.

7. Select the options 'I will not answer' and 'Local signature (cannot be exported)', then click on 'OK'. You are now finished and can send Philip Zimmermann encrypted mail.

Signing emails to an individual
Digitally signing email messages is a way to prove to recipients that you are the actual sender of a mail message. Those recipients who have received your public key will be able to verify that your message is authentic. 1. Offer your friend your public key, using the method described earlier in this chapter. 2. In Thunderbird, click on the icon.

3. Before actually sending the mail, enable the OpenPGP > Sign Message option via the menu bar of the mail compose window, if it is not enable already. Once you have enabled this option, by clicking on it, a marked sign See the example below. will appear. Clicking again should disable encryption again.

4.Click on the

button and your signed mail will be sent.

Sending encrypted mails to an individual
1. You should have received the public key from the friend or colleague you want to email and you should have accepted their public key, using the method describe earlier in this chapter. 2. In Thunderbird, click on the icon.

3. Compose a mail to the friend or colleague, from who you have previously received their public key. Remember the subject line of the message will not be encrypted, only the message body itself, and any attachments. 4. Before actually sending the mail, enable the OpenPGP > Encrypt Message option via the menu bar of the mail compose window, if it is not enabled already. Once you have enabled this

option, by clicking on it, a marked sign again. See the example below.

will appear. Clicking again should disable encryption

5. Click on the

button and your encrypted mail will be sent.

Automating encryption to certain recipients
You will often want to make sure all your messages to a certain colleague or friend are signed and encrypted. This is good practice, because you may forget to enable the encryption manually. You can do this by editing the per-recipient rules. To do this we access the OpenPGP perrecipient rule editor. Select OpenPGP > Preferences from the Thunderbird menu bar.

The preferences window will appear like below. We need to click on 'Display Expert Settings'.

New menu tabs will appear in the window. Go to the tab 'Key Selection' and then click on the button labeled 'Edit Rules ...'

We are now shown the per-recipient rules editor (see below). This editor can be used to specify the way how messages to certain recipients are sent. We will now add a rule saying we want to encrypt and sign all mail messages to First click on the 'Add' button.

Now the window to add a new rule will be shown.The first thing we should enter is the email address of the recipient. In the example below we have entered

Now we will set the encryption defaults by using the drop-downs below. For Signing select 'Always'. For Encryption also select 'Always'.

Finally we have to select our secret key, with which to encrypt our messages. Do not forget this important step. Click on the button labeled 'Select Key(s)...’ The key selection window shows up. In this example below, we only have one secret key. We select this key by clicking on the small box next to the address. Then we click 'OK' and all relevant windows and we are finished.

Verifying incoming emails
Decrypting email messages sent to you will be fully automatic and transparent. But it is obviously important to see whether or not a message to you has in fact been encrypted or signed. This information is available by looking at the special bar above the message body. A valid signature will be recognized by a green bar above the mail message like the example image below.

The last example message was signed but not encrypted. If the message had been encrypted, it would show like this:

When a message which has been encrypted, but not signed, it could have been a forgery by someone. The status bar will become gray like in the image below and tells you that while the message was sent securely (encrypted), the sender could have been someone else than the person behind the email address you will see in the 'From' header. The signature is neccessaty to verify the real sender of the message. Ofcourse it is perfectly possible that you have published your public key on the Internet and you allow people to send you emails anonymously. But is it also possible that someone is trying to impersonate one of your friends.

Similarly if you receive a signed email from somebody you know, and you have this persons public key, but still the status bar becomes yellow and displays a warning message, it is likely that someone is attempting to send you forged emails!

Sometimes secret keys get stolen or lost. The owner of the key will inform his friends and send them a so-called revocation certificate (more explanation of this in the next paragraph). Revocation means that we no longer trust the old key. The thief may afterwards still try his luck and send you a falsely signed mail message. The status bar will now look like this:

Strangely enough Thunderbird in this situation will still display a green status bar! It is important to look at the contents of the status bar in order to understand the encryption aspects of a message. PGP allows for strong security and privacy, but only if you are familiar with its use and concepts. Pay attention to warnings in the status bar.

Revoking your PGP key-pair
Your secret key has been stolen by somebody. Your hard disk crashed and you have lost all your data. If your key is lost, you can no longer decrypt messages. If your key has been stolen, somebody else can decrypt your communication. You need to make a new set of keys. The process of creating keys, using the OpenPGP wizard in Thunderbird, has been described in this book. But first you want to tell the world that your old public key is now worthless, or even dangerous to use.

What to do when you have lost your secret key, or forgot your passphrase
During the creation of your key-pair, the OpenPGP wizard offered you the possibility to create a so-called revocation certificate. This is a special file you send to others in the advent you have to disable your key. If you have a copy of this file, sending the revocation key is simply sending the file as an attachment to all your friends. You can no longer send signed mails (obviously, because you have lost your secret key). That doesn't matter. Send it as a normal mail. The revocation certificate file could only have been created by the owner of the secret key and proofs he or she wants to revoke it. That's why it should normally be kept hidden from others. If you do not have the revocation certificate, there exists no other option than for you to contact your friends personally and convince them your key is lost and that they should no longer trust it.

What to do when your secret key has been stolen, or compromised
If you have reason to believe your secret key has been compromised, or worse your secret key and passphrase, it is very important to contact others that they should stop sending you encrypted messages. With your secret key, other persons will be able to break the encryption of your e-mail messages if they also have your passphrase. This is also true for those messages you have send in the past. Cracking the passphrase is not trivial, but it may be possible if the party has lots of resources, like a state or a big organization for example, or if your passphrase is too weak. In any case you should assume the worst and assume your passphrase may have been compromised. Send a revocation certificate file to all your friends or contact them personally and inform them of the situation. Even after you have revoked your old key pair, the stolen key may still be used to decrypt your previous correspondence. You should consider other ways to protect that old correspondence, for instance by re-encrypting it with a new key. The latter operation will not be discussed in this manual. The chapter on 'Securing personal data' may be of some help. If you are uncertain you should seek assistance from experts or lookup more information on the web.

Receiving a revocation certificate
If one of your friends sends you a revocation certificate, he asks you to distrust his public key from now on. You should always accept such a request and 'import' the certificate to disable his key. The process of accepting a revocation certificate is exactly the same as accepting a public key, as has already been described in the chapter. Thunderbird will ask you if you want to import the 'OpenPGP key file'. Once you have done so, a confirmation pop-up should be displayed like below.

Preparing for the worst: backup your keys
Your keys are usually stored on your hard disk as normal files. They may get lost if your computer gets damaged. It is strongly advised to keep a backup of your keys in a safe place, like a vault. Making a backup of your secret key has another security advantage as well. Whenever you fear your laptop or computer is in immediate danger of being confiscated, you can safely delete your key-pair. Your email will be rendered unreadable immediately. At a later stage, you can retrieve your keys from the vault and re-import them in Thunderbird. To make a backup of your key-pair, first head to the key manager by using the Thunderbird menu and click on OpenPGP > Key Management. You need to have selected the 'Display All Keys by Default' option to get a list of all your keys. Lookup your own email addresses in the list and right click on the address. A selection window will appear with some options. Select the option 'Export Keys to File'.

Now we will save the key-pair to a file. Thunderbird asks us if we want to include the secret key as well. We do want to include the secret key; therefore we select 'Export Secret Keys'.

Finally Thunderbird asks us for the location of the key file. You can store the file anywhere you like, network disk, USB-stick. Just remember to hide it away from other people.

Further reading
More documentation on using PGP with Thunderbird can be found on the website of the Enigmail plugin. The Enigmail handbook is the guide you will want to use.

Webmail and PGP
The current browsers on the market unfortunately do not come bundled with PGP support. When you are using PGP to send e-mail, your encrypted e-mail messages cannot automatically be deciphered by your browser. You will see garbled text instead of messages. Nevertheless there exists a Firefox plugin called FireGPG which does add PGP support to the browser. We will describe how to use FireGPG to be able to combine the use of PGP with webmail. We will use a Gmail account as an example. FireGPG has extra uses as well. In fact, using FireGPG you can encrypt just about any plain text communication one the web (like forum post, blog messages etc.) with PGP.

Caveats with using webmail
In general it is best to use a mail program like Thunderbird instead of using Webmail. Accessing your webmail from an untrusted environment like an Internet cafà © is discouraged, because you cannot guarantee your password or traffic will not be intercepted. Using PGP in that situation may even make matters worse. Your secret key and passphrase, which you carry around on an USB-stick, may be read by a malicious program on the computer. In short, only use FireGPG to access your webmail in an environment you trust.

Installing FireGPG
NOTE: The latest official version of FireGPG supports only Firefox 3.6. During the creation of this manual we also worked on making an updated version of the plugin for Firefox 4.0. It should hopefully become available on the website of the developer soon. If you are keen on using FireGPG now, you will have to stick to Firefox 3.6 Please also note that using Gmail with FireGPG is problematic at best. There used to be special support for Gmail in FireGPG, but it is no longer up-to-date. These are the steps necessary to install FireGPG. 1. Go to the website 2. On the upper side of the website, click on Install > Install FireGPG. 3. Download the extension by clicking on

4. Firefox will ask you whether you want to allow to install the extension. Click on Allow. 5. Firefox will ask you whether you want to begin installing the extension. Click on Install now. 6. The installation window should appear like below. Click on Next to begin.

7. You should have GnuPG installed, as has been described in the chapters about Installing PGP. In the next window of the FireGPG installer, it tells us it has found GnuGPG. Click on Next.

8. In the next window FireGPG asks you whether you want to enable special Gmail functions. Alas, those functions are broken. Click on 'Enable Gmail support' to disable the option. Click Next.

9. In the next window FireGPG asks you for your default secret key to decrypt messages with. If you have more than one e-mail address with PGP, you can select the preferred one. If you select 'Ask for private key' FireGPG will ask you for the key every time you sign a message. In the example below we have selected the single secret PGP key we will use. After you have made a decision, click Next.

10. FireGPG asks you for installation components. The default components are fine. Click on Next.

11. The installation should now be finished. Click on Close.

Working with FireGPG
FireGPG works by selecting blocks of plain text in text boxes and doing actions on the them, like decryption, encryption, signing, etc. You can actually also use FireGPG to do basic key management like importing a public key. The keyring FireGPG works with is the same one that you use with Thunderbird, so your PGP actions will be compatible and synchronized. Example of decrypting an e-mail or text A PGP encrypted message directed to you should automatically be detected by FireGPG. You can recognize a decrypted message by the following icon.

Click on 'Decrypt' to display the message. Example of encrypting an e-mail or text When you have the public key of the recipient on your keyring, select the piece of text you want to encrypt by mouse, then right-click on it. You will a sub-menu called FirePGP. Select FirePGP > Encrypt. See the example below.

A window will appear. Select the recipient from the list of available public keys. Then press 'Ok.'

You will now see the encrypted message in the mail window. A PGP encrypted message is nothing but a bunch of characters delimited by special lines with dashes. Selecting the entire body of the PGP message, including the lines with BEGIN and END, and then going to the FireGPG menu, will allow you to manually decrypt, or do other actions.

Alternative Secure-Email Services
Two essential considerations in choosing a secure email service are its geographic location, and the laws governing email privacy and security in that country or region, and who has access to your emails and files (on your computer, on the server or when information is transferred between them. In its most secure configuration, the VS2Go program lets you store your encryption keys and emails on your own computer or a USB memory stick. This lets you manage the level of security by restricting access to only your correspondent and yourself (provided your correspondent is using the exact VS2Go setup). The VS2Go email client is available for GNU Linux, Mac OS and Microsoft Windows platforms.

VaultletSuite - Secure Email Client
VaultletSuite 2 Go (VS2Go) is a secure email client that lets you create and register an email account which is hosted on a VaultletSoft server. You may archive (or store) your automatically encrypted emails on your computer, on a USB memory stick or the VaultletSoft server.

Homepage Computer Requirements

 

Windows 2000/XP/Vista An Internet connection You access your email messages hosted on the VaultletSoft server. However, you may also store your emails on your computer or a USB memory stick. The VS2Go program must be installed on your computer; unlike popular email services, it cannot be accessed through a Web browser. VS2Go runs on a Java platform which it automatically installs on your computer.

VS2Go is comprised of three products bundled together and accessed through a console as follows:
  

VaultletMail - the email client PasswordValet - the password management tool VaultletFiler - the file encryption tool VS2Go uses private/public key encryption to ensure the security of your communications and file storage The VS2Go software automatically performs all encryption tasks, and improves your security by reducing human error, making it an easy-to-learn and use tool. VS2Go provides approximately 256 megabytes of space for your email messages on their servers for Blue account members. Messages are stored there, and can be accessed from any computer with the VS2Go software installed on it. Ideally, however, you should create a local archive on your computer or a USB memory stick, and regularly transfer all your messages there. Your local archive can be any size, according to your needs.

Portable VaultletSuite
There are no other differences between Portable VaultletSuite and the version designed to be installed.

How to Download and Extract Portable VaultletSuite To begin downloading and extracting Portable VaultletSuite, perform the following steps: Step 1. Click to be directed to the appropriate download site.

Step 2. Click to activate the Opening window.

Step 3. Click to save the computer, and then navigate to it.

installation file to your

Step 4. Right click ; to activate the Windows pop-up menu, and then select the Extract files... item as shown in Figure below:

The Windows pop-up menu with the Extract files... item selected This will activate the following window:

The Extraction path and options navigation window

Step 5. Navigate to the removable drive or USB memory stick as shown in Figure above, and then click to create a new folder in which to extract the installation file. Step 6. Enter a name for the new folder in the document tree as shown in Figure below:

The Extraction path and options window document tree (resized) Alternatively, you may type in a folder name in the accompanying drop-down list:

Note: Choose a different name for the Portable VaultletSuite folder, so it may appear less obvious that you are using it. Step 7. Click to begin extracting its contents to the newly created folder. Step 8. Navigate to your destination external drive or USB memory stick, as shown in Figure below, then open it to confirm that the Portable VaultletSuite program was successfully extracted.

The VaultletSuite program extracted to the destination folder on a designated external hard drive

Step 9. Double click Click

to launch the Portable VaultletSuite program.

to complete the installation, and launch the main pane as follows:

The VaultletSuite2Go main pane Note: If software updates have been detected during the installation process, a pop-up message resembling the following will appear:

The Recommended Small Update Available pop-up message window Step 10. Click to install the update, and activate the Starting new VaultletSuite 2 Go Session progress status bar as follows:

The Starting new VaultletSuite 2 Go Session progress status bar

Note: The Starting new VaultletSuite 2 Go Session progress status bar will briefly pause at the Retrieving account authentication message because there is no account information to retrieve, because you have not created your account - yet. If the VS2Go software has been successfully installed, the following two screens will appear:

The Welcome to the VaultletSuite 2 Go [] window

The Welcome to the VaultletSuite 2 Go console

How to Create a VaultletSuite 2 Go Account

An Overview of the Account Creation Process The account creation and registration process begins with choosing the appropriate account type for yourself; this guide is based on the account type most likely to benefit the majority of users. Then, you will be required to generate a key pair to be associated with your account, learn to use the optional but useful virtual keyboard, enter personal information, and choose an appropriate file storage option. Installation Note: after installing and running VaultletSuite 2 Go for the first time, you may receive update requests to ensure that you have the latest version of VS2Go. If or when this happens, please refer to section How to Update the VS2Go Program. Your VS2Go account includes an email address and login details for the system. You may register multiple accounts on the same computer or USB memory stick. Each account will have its separate space, and be protected from non-owner access.

How to Create Your VaultletSuite 2 Go Account To begin creating your VS2Go account, perform the following steps: Step 1. Double click or select Start > Programs > VaultletSuite2Go > VaultletSuite2Go to activate the Starting new VaultetSuite 2 Go Session progress status bar, the VaultletSuite 2 Go main console and Welcome to VaultletSuite 2 Go window as follows:

Starting new VaultetSuite 2 Go Session progress status bar

The Welcome to VaultletSuite 2 Go window

VaultletSuite 2 Go main console The VS2Go console lets you switch between using the VaultletSuite email, file storage and password management tools. However, you must first create an account before you can access these tools.

How to Choose the Right VaultletSuite 2 Go Account Type VS2Go is designed to accommodate both users who always use the same computer, as well as those who require access to and use of different computers. It lets store your account and login details on both your computer and USB memory stick. Step 1. Click to activate the following screen:

The Choose which account creation path you wish to follow window Step 2. Click the Control option to enable the other account types as shown in Figure above. The Choose which account creation path you wish to follow window lets you specify the kind of account best suited to your needs. The account types listed here are divided into Simplicity and Control accounts. Control offers a variety of accounts designed to optimize the safety and security of your email exchanges, and will be discussed at greater length in the following section. Important: Please read the following option descriptions before deciding which is best suited to your needs.

The Simplicity: Fast and easy. For beginners. (5 steps) option is designed for users satisfied with the default account registration options. The account will prompt you for the fewest details and be automatically stored in the home folder of your computer (for instance, C:\Documents and Settings\User\vaultletsoft). The private key will reside on the VaultletSoft server.

The Control: Quick Start for your hard drive (5 steps) option will create an account with the identical configuration process as the Simplicity option, but explains in greater detail the installation and system access choices you are making. The Control: Quick Start for Mobile Data (6 steps) option is designed for a speedy registration process, and assumes that your email and files will be located on a USB memory stick. Choose this option if you want to carry your VS2Go account with you, and access it from different computers. The Control: Hands on for Mobile Data (10 steps) is designed for users who want to be informed of all the possible options, in order to select the account configuration that is appropriate for them. You can also decide on the storage location for your private key as well.

An Example of a VaultletSuite 2 Go Account Creation and Registration The account type used in the example which follows is based on the Control: Hands on for Mobile Data (10 steps) option, as its features and settings will most likely apply to the majority of our users. Note: Although users are welcome to choose other account type options, please read through the next section, as these steps may also be applicable to your account creation and registration, regardless of your account type. Step 1. Check the desired account creation, option and then perform the following steps where they may apply. A key pair is the main component in keeping your email communications private and secure; after you have chosen the account type, you must generate a key pair to be associated with it. Step 2. Click following screen: to activate the

Warm up the key pair generator by trying to click on the jittery square screen

Step 3. Click the coloured square at least twice as it moves randomly and rapidly on the Warm up the key pair generator by trying to click on the jittery square pane to activate the following screen:

Which do you value more: fine grained control or simplicity window Warning! A private key cannot be replaced once the original is compromised or lost. A private key is the only way to decrypt the files and messages in your account. If you choose to store the private key locally, you must neither damage nor lose this private key file, regardless of whether it is stored on your computer or a USB memory stick. As such, the Control option (see below) is for Advanced and Experienced users who are used to managing their private keys in a safe and secure manner. It also allows only you to decrypt your messages. If you prefer to store the private key on the VaultletSoft servers (the Simplicity option, see below) - you will no longer have to worry about losing it or accessing the account from a remote location. You will place the responsibility on the VaultletSoft Company to keep your key secure. In either situation, you must create an exceptionally long passphrase to protect your secure key.

Step 4. Select the Simplicity option from the Which do you value more? drop-down list for this exercise as shown above. Step 5. Click to reveal the following screen:

The Current step: Create your account registration form Step 6. Enter the required information into their corresponding text fields; although you may certainly enter your desired passphrase manually, perhaps this is an excellent opportunity to learn more about using the VaultletSuite 2 Go Virtual Keyboard. Note: Your current email address will be used to reset your passphrase in the future or to send you important account notifications. Note: To increase the anonymity of your VS2Go account, consider registering with a fictitious name and not providing an alternate email address. Bear in mind, however, that by not setting an alternate email address, you will not be able to reset your passphrase, should you forget it in the future. Your preferred account name should not contain any spaces and be unique. It will be used in your VS2Go email address, for instance,

Step 7. Click to activate the following pop-up message, explaining the VaultletSoft commitment to non-profits, educational and press organizations:

The Free License for Non-Profits, Educational and Press Use Step 8. Click pop-up message. to close the Free License for Non-Profits, Educational and Press Use

How to Use the Virtual Keyboard The VS2Go virtual keyboard offers you a secure method for entering the passphrase. This option can protect your passphrase from being recorded by a key-logging program that could have been installed if you have left your computer unguarded or at public terminals. Step 9. Click to activate the Virtual Keyboard as follows:

The Virtual Keyboard

Note: The two passphrases must match and be 8 characters or more in length. Step 10. Click the keys that correspond to your passphrase on the Virtual Keyboard. Step 11. Re-enter the passphrase using the virtual keyboard for the second time, and then click when finished.

The VaultletSuite 2 Go Account Registration Example Step 11.Click after your passphrases match, and continue the registration process by activating the following screen:

The Read Our End User License Agreement screen

Step 12. Select Yes from both drop-down menus to continue, and then click activate the following pop-up message:


The Enter your beneficiary and referrer information pop-up message Step 13. Click follows: to activate the VS2Go beneficiary and referrer information screen as

The Enter your beneficiary and referrer information form Note: Leave the Beneficiary group or Referrer from their corresponding drop-down lists to better preserve your account anonymity, as indicated in Figure above. Step 14. Select Special Blue Account from the subscription options (if this is not already the default item).

Important: The Blue account provides access to most of the VaultletSuite features for one year. After 11 months, you will be notified that your yearly subscription period is almost over, and you will be presented with different opportunities to renew it. The Blue account lets users store 256 megabytes of files and messages for a period of 6 months on the VaultletSoft servers. However, you are strongly recommended to regularly archive your files and messages, to avoid accidental loss of information. Note: Click to activate a VaultletSuite web page listing different account types.

After you have completed the beneficiary and referrer information form, it should resemble to what it’s shown above.

How to Choose an Appropriate File Storage Option At this stage of the account creation process, you must specify where to store your VS2Go account files: on your computer, the VaultletSoft server or a USB memory sticks. The VauletSuite 2 Go Disk Locator window presents four options, and by checking each option radio button, you can review the detailed explanations, and determine what file storage option is best suited to your lifestyle or needs. Important: If you choose to store your files on a USB memory stick, you must always keep it with you otherwise you will be unable to access your account and archived messages. Step 15. Click , and then click to activate the following screen:

The New Account Drive Locator pop-up message Step 16. Click to activate the ValutletSuite 2 Go Disk Locator window as follows:

The VaultletSuite 2 Go Disk Locator window in default mode The VaultletSuite 2 Go Disk Locator window is divided into two panes. The Where are you and where do you store your VaultletSuite 2 Go files pane displays the file storage options, and the What does this mean to you? pane displays a more detailed explanation of these options. The Your archives are stored here: displays messages about whether VaultletSuite has detected your USB memory stick, and whether it requires formatting, among other things. Note: If you choose to store the account files on a removable drive or USB memory stick, it must first be inserted into the computer before you run the VS2Go program. You may also find yourself prompted to specify its destination whenever you use different computers.

The Home: this is my main computer and I store my VaultletSuite 2 Go files on my hard drive option. This is the default option the first time the VaultletSuite 2 Go Disk Locator window appears after being installed. As its name suggests, you will use only this computer to your VS2Go account. The Home: this is my main computer and I do store my VaultletSuite 2 Go files on my USB drive option. This option is ideal for users who need to use VS2Go from different computers, and carry their account files on their USB memory stick. (Remember: Each computer must have the VS2Go software installed and running).

The Roaming: I'm mobile and do not have my VaultletSuite 2 Go files with me option. This option is for users who require access to their VS2Go accounts, but without the ability to access their archives and store old messages in them. The Roaming: I'm mobile and I have my VaultletSuite 2 Go files with me on my USB drive option. This option lets users both access their VS2Go accounts, and archive their messages. Note: The majority of users typically use both computers at home and outside, and would probably best served by the second option, and this example is based upon it. Step 17. Check the Home: this is my main computer and I do store my VaultletSuite 2 Go files on my USB drive option to enable the Autoscan for Removable Drives and I'll show you (Manual) buttons. Step 18. Insert a USB memory stick into a designated USB port on your computer, and then click drives. to run a VS2Go scan of your computer for removable

Note: If more than one removable drive or USB memory stick is detected, VS2Go will prompt you to select one to serve as your portable archive as follows:

The Multiple Removable Drives Found screen Step 19. Click to activate the following pop-up message:

The Removable Drive Autoscan Results window

The VaultletSuite 2 Go Disk Locator screen now displays the location of your newly created VS2Go account, and the corresponding folder in which to store your files.

The VaultletSuite 2 Go Disk Locator window VaultletSuite also lets you change the default folder, or specify another removable drive manually. To do so, perform the following steps: Step 20. Click to activate the following screen:

The Where Do You Store Your Local VaultletSuite 2 Go Files? navigation window Step 21. Navigate to the desired drive or folder location.

Step 22. Click screen:

to confirm the drive or folder path, and activate the following

The Confirmation pop-up dialog box Step 23. Click to confirm the drive or folder path, and return to an updated VaultletSuite 2 Go Disk Locator window that was shown above. Step 24. Click follows: to display a summary of your account information for review as

The Enjoy! Account Creation Summary pane Step 25. Click to continue with the VaultletSuite account creation and registration pane; this will probably activate a message window from VaultletSuite announcing the latest features in this version of the software.

Step 26. Click window.

to complete the account creation process, and launch your account

Congratulations! Although it may have required a little more effort than conventional account registration procedures you have encountered with other software in this project, you are now the happy owner of a new VS2Go email account. You may be presented with a VS2Go System Message describing some new features of the software.

How to Update the VaultletSuite 2 Go Program To accommodate users with low or restricted bandwidth, VS2Go organizes software updates as being either Important or Optional. However, VS2Go updates which are described in the update window as Important or Important Partial must be installed before you may continue using it. Important include improvements to existing functionality and security fixes. Upon launching VS2Go, you may be prompted to update your software with the latest VS2Go fix or software patch. Click the Yes button to accept and install the software update.

The Optional Small Update Available message screen

The Important Partial Update Available message screen

Another Important Partial Update Available message screen The updates will automatically download and install themselves on your computer or removable drive.

How to Use Your VaultletSuite 2 Go Account

How to Use Your Account After you have successfully created and registered your VaultletSuite 2 Go (henceforth VS2Go) account, and subsequently, every time you log into your account, you will be using one of the most secure email systems available on today's Internet! Note: All the screens you encounter while using VS2Go can be easily and elegantly re-sized; therefore, do not worry if the appearance of your own VS2Go account screens do not exactly match with those presented throughout this guide. Tip: Passing your cursor over a particular button or feature will display its associated description as shown in this example:

An example of a roll-over tip associated with the Address Book feature

An overview of the basic or most commonly used functions and tasks related to both the following screens will be presented to help you get started. To begin using your VS2Go account, perform the following steps: Step 1. Click or select Start > Programs > VaultletSuite2Go > VaultletSuite2Go to activate the following screens:

An example of The Welcome to the VaultletSuite 2 Go! window with the Account and Passphrase fields completed by a fictional user

The VaultletSuite 2 Go console with all buttons enabled after log in

Step 2. Click

to activate the following screen:

An Example of the VaultletSuite 2 Go Email window A series of Starting a New VaultletSuite 2 Go Session progress status bars will present themselves, as your account information is retrieved. Note: If you are accessing your account using a different computer from last one you used, VS2Go will prompt you for the location of your VauletSuite archives and files. An information window may pop-up to tell you about some new features in VS2Go.

How to Compose and Send an Message In the following example, an email exchange takes place between two VaultletSoft users (that is, those with an address). VaultletMail will automatically encrypt all messages to other VS2Go recipients. For instructions on how to encrypt messages to people who do not have a VaultletSoft account, please refer to the About the Special Delivery Feature.

Step 1. Click

to activate the following screen:

The VaultletMail Composer :: New Message window Step 2. Compose your message, and enter a recipient as shown in Figure above and then click to send your message and be returned to figure “An Example of the VaultletSuite 2 Go Email window” VS2Go functions just like any other email client. Basically, you compose messages, choose recipients and send them, as well as delete them or archive or store them on your computer hard drive or USB memory stick.

How to Transfer Your Messages to the Archive VS2Go also offers a wide range of advanced security features not offered by conventional email clients, among them the ability to archive emails and files. All new messages, both sent and received, are initially stored on the Vaultletsoft servers, which provide storage for a limited time and space. The left sidebar in the VaultletMail window is divided into the VaultletMail Server (remote) and Your Drive (local) as shown above. The dotted lines in Figure below show how the folders correspond to each other:

How the VaultletMail Server folders correspond to the Your Drive folders Given the limited amount of storage capacity available to free users, and for your own freedom of use and security, you must transfer your messages to your computer or removable device on a regular basis. The size of your local folders can be as big as the computer or removable drives allows. Note: All your messages will be stored using VS2Go secure encryption. Step 1. Select the message(s) you would like to save to your local folder.

Step 2. Either click

or select Message > Archive from the menu bar.

Reminder: If you enabled the Mobile option during your account creation and registration, then you must carry your removable hard drive or USB memory stick at all times if you want to access your archived messages. However, you may continue to compose, send and receive messages without your removable device.

How to Use the VaultletFiler VS2Go offers secure file storage and uses the archive (created on your computer or USB memory stick) for this purpose. You can transfer multiple files to be protected by VS2Go encryption, and access them from your computer or removable device. Note: Bear in mind that even though files are automatically encrypted on your computer or USB memory stick, they can only accessible if you are connected to the Internet and logged into your account. (Future releases of VaultletSuite 2 Go aim to incorporate access to these functions offline). The VaultletFiler is accessed through the VaultletSuite 2 Go main console.

Step 1. Select VaultletSuite 2 Go > VaultletFiler as shown below:

Selecting the VaultletFiler item from the VaultletSuite 2 Go console This will activate the VaultletFiler window as follows:

The VaultletFiler window How to Import and Encrypt a File in VaultletFiler To import (or transfer) documents using the VaultletFiler perform the following steps:

Step 1. Click the following screen:

to activate

The Which File(s) Do You Want to Import navigation window

Step 2. Select the file(s) to be imported, and then click Encryption Status bars until the following screen appears:

to activate a series of File

The file now appears in the Vaultlet Files:: Encrypted Files window as follows:

The encrypted file displayed in the VaultletFiler

How to Export and Decrypt a File in VaultletFiler Before you can access and work with your encrypted file(s) later, you must first export and then decrypt it(them).To export and decrypt a file, perform the following steps: Step 1. Select the file to be exported from the Encrypted Files window, and then click to activate the following window:

The file selected for Export displayed in the What Directory Do You Want to Export [Name of File] To? navigation window

Step 2. Navigate to the destination directory to which the file is to be exported, and then click to activate the following prompt screen:

The Confirm Decryption confirmation prompt To access (that is, use or work with) this file, you must first decrypt it. Step 3. Click to activate a series of File Decryption Status progress bars. After the decryption and export process has been completed, navigate to the export destination directory to view your newly decrypted and exported file.

How to Use the PasswordValet Note: The PasswordValet is designed for use with the VS2Go software. Therefore, users must have an Internet connection and the VS2Go software installed on any computer they are using. However, future versions of VS2Go will include an off-line capability. For users who may need to access their account information when using computers which do not have VaultletSuite 2 Go installed on them, we strongly recommend KeePass, in addition to VS2Go. The PasswordValet feature is basically text editor that lets you enter and store valuable account information in a private and secure manner. Step 1. Click or select Start > Programs > VaultletSuite2Go > VaultletSuite2Go to activate Figure” login pane” and “The VaultletSuite 2 Go console with all buttons enabled after log in”

Step 2. Click

to activate the following screen:

The PasswordValet main window Note: If you did not specify a local or removable drive or USB key during the account creation process, you may do so here. Alternatively, you may store your account information on the VaultletSoft servers.

Step 3. Click

to activate a blank version of the following screen:

The PasswordValet: Your new PasswordValet's name here window Step 4. Enter the account-related information into their respective fields so that your own window resembles Figure above:

Step 5. Click to save all your account-related information, and then select the Logout item from the PasswordValet menu, to exit and close the PasswordValet.

Step 6. Click

in the VS2Go console to open the PasswordValet again.

Step 7. Click drive, as follows:

to retrieve the account information file stored on your hard

An example of the PasswordValet window displaying the automatically encrypted file

The account information file appears, displaying the alphanumeric encryption automatically used by the VS2Go software to encrypt your file.

Step 8. Click

to access your account information and edit or update it, and then click

to save your updates.

How to Use the VaultletSuite 2 Go Advanced Features

About the VaultletSuite 2 Go Advanced Features VaultletSuite 2 Go (VS2Go) offers three unique features which increase the security of your email communications. This section will describe and show you how to use them.

HalfLife: This feature lets you specify the longevity of an email message once a recipient has opened it. You can specify in advance the number of times a message can be read, or a time limit before it deletes itself. The HalfLife feature is especially useful for making sensitive information inaccessible to a recipient after a given time. ScopeControl: This feature lets you restrict a recipient's ability to forward your message to others, or copy the content displayed in the original message. The ScopeControl feature is especially useful for preventing a recipient from accidentally 'leaking' your message to a third party. SpecialDelivery: This feature lets you automatically encrypt email, and apply (if required) the Half-Life and Scope Control features to recipients outside the VaultletSuite environment. You can maintain your authenticity and privacy when communicating with subscribers using other email services, even unsecured ones. Unopened Message Withdrawal: VS2Go users may even recall or retract an unopened VaultletMail or SpecialDelivery message within two minutes of sending it. However, future releases of VS2Go will remove this two-minute restriction and users may retract a sent email, provided the recipient has not opened it yet. To recall a message you have sent, open the VS2Go Send folder, select the message header without opening the message, and then delete the message. As long as the message has not been opened by the recipient, the message will be deleted and not sent to your correspondent.

How to Use the HalfLife Feature Note: VS2Go lets you resize the various screens and windows, which also changes the appearance of the different buttons, and they can be adjusted to reflect their default appearance. Do not worry if the images in this guide do not match your own.

The HalfLife feature is used to limit the amount of time a message can remain in a recipient's mailbox. To apply the HalfTime feature, perform the following steps:

Step 1. Click

to activate the HalfLife Editor window as follows:

The HalfLife Editor window Step 2. Specify the length of time your message is to be displayed before its deletion, or the number of times it can be viewed, or a combination thereof. Step 3. Click to confirm your specified criteria.

Note: The HalfLife title bar above your message now displays your newly selected settings. The HalfLife feature title bar reflecting the new settings Step 4. Compose your message and then click to send your message.

After your recipient has received your message, he or she will be able to view the restrictions you have specified (outlined in black in Figure below at the beginning of the email as follows:

The VaultletMail Inbox displaying an email message with a restricted life span The message will delete itself upon the expiration of the specified time limit and/or the number of viewings. Tip: Click if you would like to either alter or remove the time or viewing restrictions from your email; you do not have to delete your mail and start over!

How to Use the ScopeControl Feature The ScopeControl feature restricts a recipient from copying or forwarding the content of your email to third parties. This is extremely useful in preventing accidental 'leakage' or sharing of private messages to email lists and unintended recipients. Step 1. Click Step 2. Click to open a VaultletMail Composer: New Mail window. and notice the changes in the ScopeControl title bar as follows: The ScopeControl title bar reflecting the new settings Your message is now protected from being forwarded to others and from having its content archived, copied or printed.

Tip: Click

to remove the ScopeControl restrictions from your email, if you wish.

About the SpecialDelivery Feature Basically, the SpecialDelivery feature lets you send encrypted messages, and extend both the HalfLife and ScopeControl security features to external (non-VaultletSoft) users. First, you send a regular (or non-encrypted, open-text) message to a (non-VaultletSoft) user with a link for creating a lightweight VS2Go account to access the secure SpecialDelivery Webmail Viewer residing on the VaultletSoft website. The external recipient must create and log into that lightweight VS2Go account to access the SpecialDelivery Webmail Viewer, and to view and respond to an email from a VaultletSoft user in a private and secure manner. Before you begin using the SpecialDelivery feature with an external user, both of you must have already exchanged a secret code phrase or word known only to yourselves. This secret code phrase/word will identify and confirm both parties to be the actual recipient or sender of email messages. VaultletSoft does support all major browsers and clear instructions are automatically provided in your first VaultletSuite 2 Go email that you receive. VaultletSoft is currently developing plugins (that is, the equivalent of a Firefox add-on or extension) for them, including Internet Explorer, Opera and Safari). Important: Although using initial setup and account creation may seem initially longer than most conventional software tools, all future email exchanges will be much quicker and simpler. The benefits of the VaultletSoft SpecialDelivery feature outweigh a relatively small investment of effort and time, provided both your correspondent and you are serious protecting each other’s safety and security when using unsecured email services.

How to Send a Message Using the SpecialDelivery Feature To send a message to an external recipient, perform the following steps:

Step 1. Click

to open a VaultletMail Composer: New Mail window.

Step 2. Enter or select an external (that is, a non-VaultletSoft) email address in the Recipients To: address field. This will automatically disable the Send, Receipt, ScopeControl and HalfLife buttons.

Step 3. Click following message:

and notice that the SpecialDelivery title bar displays the

The SpecialDelivery title bar message

The VaultletMail Composer: New Mail message window Step 4. Compose and then click to send your message, as shown in Figure above.

Note: The VS2Go program will automatically detect if your recipient is an external or VaultletSoft user. If you did not enable the SpecialDelivery feature and you attempt to send your message, the External Plaintext Messages Are Not Secure pop-up window will appear, as shown in following Figure.

Step 5. Enable the Send this message securely via SpecialDelivery and Ask me before I send an unprotected message options, so your own window will appear as follows:

The External Plaintext Messages Are Not Secure message window Step 6. Click to activate the following screen:

The Introductory SpecialDelivery Message Requirements window

Step 7. Click

to close this window.

The Confirm Introductory SpecialDelivery Message prompt box At this point, you will be prompted to create a secret code word for the intended recipient of your message. Your recipient must enter the exact same code when prompted by the software. This secret code word will be used to authenticate the two communicating parties to each other. Reminder: Authentication, that is the process of identifying oneself as being both the true account owner and correspondent, is performed only once for each new recipient. Both your correspondent and yourself should communicate this special code word in either a face-to-face meeting, or a secure telephone conversation or by secure instant messaging.

Step 8. Enter a code word at least 8 characters long, and click message to a non-VaultletSoft recipient.

to send your

Congratulations! You have just sent your first SpecialDelivery message to an external recipient. Please refer your correspondent to the following sections to learn how to access the SpecialDelivery Webmail Viewer and read and respond to your message.

How External Recipients Access the SpecialDelivery Webmail Viewer Here,the external (or non-VaultletSoft) recipient of an email from a VaultletSoft user, will learn how to access, read and respond to emails using the SpecialDelivery viewer. This involves:
  

Selecting and copying the content of a VaultletSoft SpecialDelivery email; Entering the secret code word previously agreed upon by you and your partner when prompted; and Creating a lightweight version of a VaultletSuite 2 Go account, to send and receive emails in a private and secure manner. VaultletSoft is designed to work seamlessly with all web browsers, among them Firefox and Internet Explorer. Important: Before you begin, confirm the identity of your correspondent, and he/she has given you the correct alphanumeric eight-character code. To view a message from a VaultletSoft correspondent, perform the following steps: Step 1. Log in to your email account (as mentioned earlier, all our examples are based on Gmail) and open your first VaultletSoft email as shown below:

The SpecialDelivery message

Step 2. Right click anywhere within the message to activate the pop-up menu, and then select the Select All item as follows:

The pop-up menu with the Select All item selected (Alternatively, press the Ctrl and A keys on your keyboard to select all the text on this page.) Note: The contents of your clipboard will be automatically read by the VaultletSuite page and therefore, you do not have to paste them after you have copied them. Step 3. Activate the pop-up menu again, and then select the Copy item as follows:

The pop-up menu with the Copy item selected (Alternatively, press the Ctrl and C keys on your keyboard.) Step 4. Click following two screens: to activate the

The pop-up SpecialDelivery Viewer window The pop-up SpecialDelivery Viewer window will be followed by another as follows:

The application's digital signature has been verified. Do you want to run the application? prompt box Note: The Always trust content from this publisher option lets you decide if you want to automatically open all incoming messages or open them on a case-by-case basis. Step 5. Click to activate the following screen:

The Preparing to display your message screen The VS2Go system will begin decrypting the message, after which the following screen will appear:

The Message Protected by Secret Code prompt window Step 6. Enter the alphanumeric secret code word previously agreed upon between you and your VaultletSoft correspondent (resembling the alphanumeric one in Figure below).

The Message Protected by Secret Code prompt, displaying an example of an alphanumeric secret code word Warning: Do not use the alphanumeric secret code word shown here, as it has already been exposed to a wide audience in this guide. Be inventive! Step 7. Click to activate a blank version of the following screen:

The You've Got VaultletMail SpecialDelivery from [] window This window is used to create a special lightweight VaultletSoft account. Step 8. Enter the information required in their corresponding text fields; after you have filled out the information so that it resembles Figure above. Step 9. Click which is now enabled; this will activate the following screen:

The SpecialDelivery From [] form Step 10. Enter the information required in the corresponding text fields so it resembles the following screen:

The SpecialDelivery From [] form (completed) Step 11. Enter the information required in the corresponding text fields so your own screen resembles Figure above, and then click by Secret Code prompt window” again. to activate Figure “The Message Protected

Step 12. Enter the alphanumeric secret code word a second time, and then click


Note: In the future, you will not be prompted to enter your secret code word to access your email messages from this particular VaultletSoft correspondent. The message will appear resembling the following:

The SpecialDelivery message window Step 13. Click to compose a response to this email, and then click activate the following screen: to

The VaultletMail SpecialDelivery confirmation dialog box Step 14. Click - and you're done! to complete sending your first email to a VaultletSoft correspondent

How to Verify if You Have Applied the Advanced Features Note: You must enlarge your window fully to view the corresponding buttons and title bars associated with the HalfLife, ScopeControl and SpecialDelivery features. To view if or when these extra features are activated or being used, perform the following steps: Step 1. Click or select Start > Programs > VaultletSuite2Go > VaultletSuite2Go to run the VS2Go console and message window. Step 2. Log into your account to open your VaultletSoft account.

Step 3. Click to activate the VaultletMail Composer :: New Message window and compose your message.

Step 4. Click

in the VaultletMail Composer window to activate the following screen:

The VaultletMail Compose Message window displaying the Advanced features in use

Tip: Altenatively, click bars.

to conceal the HalfLife, ScopeControl and SpecialDelivery title

Evolution What is Evolution?
Evolution is the official personal information manager and mail client for the GNOME Desktop Environment: . It is Free Software, licensed under the GPL, making the source code available for modification or scrutiny. It is usually distributed with the GNOME Desktop Environment with Linux, making it likely available either upon installation of a Linux distribution that uses GNOME, such as Ubuntu, or available via your distribution’s Package Manager: . Evolution is also available for Windows → Some features it has include Email (IMAP and POP), Calendar, address book, contacts, and GPG encryption support.

Install Evolution

Debian/Ubuntu Linux: Most likely, evolution is already installed. If not,

sudo apt-get install evolution

Windows: Download : and install the windows version.

Setup a New Account in Evolution
1. Press Alt+F2 and enter: evolution 2. If you’re running Evolution for the first time, you will be asked if you want to restore your settings from a backup file, if you have one. 3. Enter the name you wish to have appear in the From field to your email recipients along with your email address. You may also choose to make this your default account in Evolution. 4. Enter the following information to receive email for a account: Server Type: Choose either IMAP or POP. 5. Server: username: Use Secure Connection: TLS is recommended Authentication Type: Password

6. The next screen has 4 sections. Connection to Server and Folders can be safely ignored. Enter how often you want evolution to automatically check for new emails in minutes in the Checking for New Mail section, or unchecked to only check for email when you manually instruct Evolution to do so. The Options section allows you to apply spam filtering to your incoming email and to automatically keep local copies of your email to enable disconnected access (applies to IMAP only). 7. Enter the following information to receive email for a account: Server Type: SMTP Server: check Server requires Authentication Use Secure Connection: SSL is recommended in order to avoid network problems. Authentication Type: PLAIN username: foobar 8. Give the account you’re creating a name. This is only used for your reference when managing multiple accounts in Evolution and is not disclosed to recipients of your emails. 9. Click Apply You’re finished! You now can use Evolution to send and receive email through Riseup’s servers.

Setup OpenPGP Encryption in Evolution
All that’s necessary to work with encrypted emails in Evolution is to tell Evolution the OpenPGP KEY ID for your account and then to select encryption every time you send an email. 1. First, Generate a OpenPGP Key pair, if you haven’t done so already. 2. Go to Edit → Preferences 3. In the Mail Accounts section, select the account you wish to link to your OpenPGP key and press the Edit button. 4. Click the Security tab. 5. Enter your OpenPGP KEY ID (See Howto Setup OpenPGP Keys to find your KEY ID). Select Always encrypt to myself when sending encrypted messages; this encrypts the copy saved in your Sent folder on the email server with your own key so you are able to decrypt it later. UNCONFIRMED!!! Always trust keys in my keyring when encrypting enables you to communicate with people in your keyring whose keys you haven’t signed. You can ignore the Secure MIME section. Please note: “Always sign” is not the same as “Always encrypt”; signing an email is different from encrypting it and does not make the message unreadable to third parties. 6. Click OK You are now able to encrypt and decrypt emails in Evolution!

Send Encrypted emails
1. Compose a new email 2. Select Security → PGP Encrypt The email you’re composing will now be encrypted upon being sent! You can always verify that your email is going to be encrypted by going into the Security menu and seeing if there’s a checkmark next to PGP Encrypt. Unfortunately, there currently doesn’t appear to be any way to enable encryption by default either globally or per contact, meaning that every time you want to encrypt an email to someone, you have to go to Security → PGP Encrypt to enable encryption, otherwise your email will be readable by third parties

Gmail Configuration in Evolution Mail Client
Ubuntu provides very decent alternative to Microsoft outlook: Evolution Mail Client. In fact Evolution represents a very functional application which in addition to mail integrates calendar, address book, to-do list, memo tools and etc. One of the nice things about this software consists in the fact that it’s a part of GNOME desktop environment, thus there is no need to install it. Taking into account that Gmail configuration has some distinctive features, we decided to review it in detail to help you avoid different problems, which may appear. Configuration of Gmail using POP3 Here are the steps to follow: 1) Open the browser, login to your Gmail account and click “Settings”:

2) Choose “Forwarding and POP/IMAP” panel, make sure that POP is enabled and choose “keep Gmail’s copy in the Inbox” option (2nd point of POP Download section):

3)Click on the Evolution icon (upper panel) or go to: Applications > Internet > Evolution Mail:

4) Click “Forward” button on the Welcome window:

Due to the fact that we configure mail for the first time, skip this option and click “Forward”:

Write your name, email address and Reply-to:

Choose “POP” from the drop-down menu, write everything as you see on the screenshot, of course, you have to type your email address (Username field):

Check “Leave messages on server” and change the update interval (“Check for new messages every … minutes”), by default it’s 10 minutes:

Secure Instant Messaging with OTR
Just like with email, though, a secure communications channel requires that both you and your instant messaging contacts use the same software and take the same security precautions. There is a chat program called Pidgin that supports many existing instant messaging protocols, which means that you can easily begin using it without having to change your account name or recreate your list of contacts. In order to have private, encrypted conversations through Pidgin , you will need to install and activate the Off-the-Record OTR plug-in. Fortunately, this is a fairly simple process. Skype, which is a common VoIP tool, also supports instant messaging. While using Skype is probably more secure than using one of the alternatives without the OTR plugin, it has two important drawbacks. First, it only allows you to chat with other Skype users, whereas Pidgin can be used to communicate securely with nearly all other instant messaging services. Second, because it is closed-source, it is impossible to verify the strength of its encryption.

How to use OTR to encrypt your instant messages.
 

Introduction to OTR Installing OTR o Linux o Windows o Mac

Introduction to OTR
Off-the-Record Messaging (OTR): adds end-to-end encryption for chat messages. It has many features:

 

Encryption: All the encryption takes place on your devices. This protects your conversation from being read by others, even over insecure networks and untrusted chat providers. Authentication: You know if the person is who they say they are. Deniability: The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent is assured the messages she sees are authentic and unmodified. Perfect forward secrecy: If you lose control of your private keys, no previous conversation is compromised.

Installing OTR
Here, we will be using OTR with pidgin: Pidgin has the most mature implementation of OTR, and runs on Windows, Linux, and Mac. Linux Press Alt+F2 and run: gnome-terminal Copy the following line into the new terminal window and hit Enter: sudo apt-get install pidgin-otr To Run Pidgin press Alt+F2 and type: pidgin Windows Visit Mac Pidgin can be run on the Mac, but it is much easier to run Adium instead. Adium is a native port of pidgin to the Mac OS. Download Adium. From here

About Pidgin
Pidgin is a free and open source client that lets you organize and manage your different Instant Messaging (IM) accounts using a single interface. The Off-the-Record (OTR) plug-in designed for use with Pidgin ensures authenticated and secure communications between Pidgin users.

 

Pidgin: OTR:

Computer Requirements
 

An Internet connection All Windows Versions GNU Linux, Mac OS and other Microsoft Windows Compatible Programs: Both Pidgin and OTR are available for Microsoft Windows and for GNU/Linux. Another multi-protocol IM program for Microsoft Windows that supports OTR is Miranda IM: . For the Mac OS we recommend using Adium: , a multi-protocol IM program that supports the OTR plugin. Before you can start using Pidgin you must have an existing IM account, after which you will register that account to Pidgin. For instance, if you have an email account with Gmail, you can use their IM service GoogleTalk with Pidgin. The log-in details of your existing IM account are used to register and access your account through Pidgin. Note: All users are encouraged to learn as much as possible about the privacy and security policies of their Instant Messaging Service Provider. Pidgin supports the following IM services: AIM, Bonjour, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MIRC, MSN, MXit,, QQ, SILC, SIMPLE,, Yahoo!, Zephyr and any IM clients running the XMPP messaging protocol. ;;;;;;;;

Pidgin does not permit communication between different IM services. For instance, if you are using Pidgin to access your Google Talk account, you will not be able to chat with a friend using an ICQ account. However, Pidgin can be configured to manage multiple accounts based on any of the supported messaging protocols. That is, you may simultaneously use both Gmail and ICQ accounts, and chat with correspondents using either of those specific services. Pidgin is strongly recommended for IM sessions, as it offers a greater degree of security than alternative messaging clients, and does not come bundled with unnecessary adware or spyware which may compromise your privacy and security. Off-the-Record (OTR) messaging is a plugin developed specifically for Pidgin. It offers the following privacy and security features:
   

Authentication: You are assured the correspondent is who you think it is. Deniability: After the chat session is finished, messages cannot be identified as originating from either your correspondent or you. Encryption: No one else can access and read your instant messages. Perfect Forward Security: If third party obtains your private keys, no previous conversations are compromised. Note: Pidgin must be installed before the OTR plugin.

Portable Pidgin and OTR
There are no other differences between Portable Pidgin and the version designed to be installed on a local computer.

How to Download and Extract Portable Pidgin To begin downloading and extracting Portable Pidgin, perform the following steps: Step 1. Click to be directed to the appropriate download site.

Step 2. Click download page. Step 3. Click then navigate to it. Step 4. Double click appear. If it does, click to save the

to activate its associated Source Forge

installation file to your computer;

; the Open File - Security Warning dialog box may to activate the following screen:

The Language Installer window

Step 5. Click

to activate the following screen:

The Pidgin Portable | window Step 6. Click to activate the following screen:

The Choose Components window Note: Click to enable the option, and include multilingual support if you would prefer to use Portable Pidgin in a language other than English. Enabling this option will make the extraction process a little bit longer.

Step 7. Click

to activate the Choose Install Location window, and then click

to activate the following screen:

The Browse for Folder window Step 8. Navigate to the destination external hard drive or USB memory stick, select it and then click Step 9. Click to confirm its location, and to return to the Choose Install Location window. to begin extracting Portable Pidgin to the specified folder; then click

to complete the installation process. Step 10. Navigate to your destination external drive or USB memory stick, as shown in Figure below, and then open it to confirm that the Portable Pidgin program was successfully extracted.

The Browse for Folder window

Before you may begin using Portable Pidgin in a safe and secure manner, you must first download and extract its complementary portable Off-the-Record (OTR) plugin.

How to Download and Extract Portable Pidgin OTR Step 1. Click to be directed to the appropriate download site. Step 2. Click to activate the Pidginto save the

OTR_Portable_3.2_Rev_2.paf.exe download window, and then click installation file to your computer. Step 3. Double click box may appear. If it does, click Step 4. Click Step 5. Click Step 6. Click

to Open File - Security Warning dialog to activate the Installer Language window.

to activate the Pidgin-OTR Portable | window. to activate the Choose Install Location window. to activate its associated Browse for Folder window.

Step 7. Navigate to the destination external hard drive or USB memory stick, select it and then click Step 8. Click to confirm its location, and to return to the Choose Install Location window. to begin extracting Portable Pidgin to the specified folder; click

to complete the installation process. Step 9. Navigate to your destination external drive or USB memory stick, and then open the Portable Pidgin program folder. Step 10. Double click to launch Portable Pidgin.

How to Install the Pidgin and OTR software
How to Install Pidgin Step 1. Double click If it does, click ; the Open File - Security Warning dialog box may appear. to activate the following screen:

The Install Language confirmation box Step 2. Click Step 3. Click License Agreement, click window. Step 4. Click to activate the Welcome to the Pidgin 2.7.11 Setup Wizard screen. to activate the License Agreement screen; after you have read the to activate the Pidgin 2.7.11 Setup - Choose Components

to activate the Pidgin 2.7.11 Setup - Choose Install Location window.

Step 5. Click to accept the default installation path, and activate the Pidgin 2.7.11 Setup - Installing window to begin installing the Pidgin software. A number of folders and files will begin installing themselves in rapid succession; after the installation process has been completed, the Pidgin 2.7.11 Setup - Installation Complete window will appear. Step 6. Click to activate the Completing the Pidgin 2.7.11 Setup Wizard.

The following step is optional: Step 7. Check the option, if you would like to launch Pidgin immediately.

Note: During Step 3 of the installation process, Pidgin was configured to be included in the Start > Programs list, and can be launched from there in the future.

Step 8. Click

to complete installing Pidgin.

How to Install the Off-The-Record (OTR) Engine Step 1. Double click appear. If it does, click ; the Open File - Security Warning dialog box may to activate the following screen:

The Welcome to the pidgin-otr 3.2.0-1 Setup Wizard Step 3. Click to activate the License Agreement screen; after you have completed to activate the pidgin-otr 3.2.0-1 Setup - Choose

reading the License Agreement, click Install Location screen. Step 4. Click Step 5. Click

to begin the installation process. to complete installing the Pidgin-OTR messaging software engine.

After you have completed installing both Pidgin and OTR, the following icon will appear in the Windows task bar:

The Pidgin-OTR icon outlined in black

Congratulations! You have successfully completed installing both the Pidgin and OTR programs!

How to Register and Set up Your Account to Pidgin
An Overview of Account Registration and Setup Process in Pidgin There are four basic steps in the Pidgin account registration and setup process; registering an existing IM account to Pidgin, adding a correspondent or buddy as he/she is referred to in the Pidgin universe, getting your buddy to do the same, and lastly accessing the chat window for your first chat session. Given that chat or IM sessions take place between two parties, the examples here describe how the various forms and windows appear to both buddies/correspondents (represented by two fictional characters, Salima and Terence) at different stages of the account registration and set up process. All examples are based on the Google Talk protocol. Note: Before you can start using Pidgin, you must already have an Instant Messaging (IM) account with one of the. If you would like to create an IM account, we strongly recommend Google Talk account.

How to Register Your Instant Messaging Account to Pidgin To register your IM account to Pidgin, perform the following steps:

Step 1. Click or select Start > Pidgin to launch Pidgin. The first time you use Pidgin, the following screen will appear:

The Accounts confirmation window

Step 2. Click

to activate a blank Add Account window as follows:

The Add Account screen displaying Basic, Advanced and Proxy tabs Step 3. Click the Protocol drop-down list to view the IM service protocols supported by Pidgin as follows:

The Add Account window displaying a list of supported IM protocols

Step 4. Select the appropriate IM protocol. Note: Different IM service providers will display their specific text fields for you to fill in. Some of them are automatically filled in (for example, if you select Google Talk, the Domain text field is completed for you). However, all services require that you to enter a username and a password. Step 5. Type in your email address (for example, in the Username field. Step 6. Type in your password for this specific account in the Password field. Step 7. Type a nickname you would like to be identified by in the Local Alias field. (This field is optional.) Important: To optimize your privacy and security, do not enable the Remember password option. It means that Pidgin will prompt you for your password whenever you log in to chat online. Doing this prevents imposters from logging in and pretending to be you, if you happen leave your computer unattended for some time. Also, remember to select the Quit item from the Buddies drop-down menu after finishing your chat session! A completed Add Account screen would resemble the following:

An example of a completed Add Account form

Tip: Google Talk, IRC, SILC and XMPP clients can easily request an encrypted connection. Step 8. Click to complete adding your account, and simultaneously activate an updated Accounts the Buddy List screens as follows:

An updated Accounts window

The Buddy List in Active mode After completing these steps, you are now ready to register your Pidgin buddies, by entering their contact information.

How to Add a Buddy in Pidgin Adding buddies or correspondents in Pidgin involves adding and saving their contact information. In the example that follows, Terence will add Salima as his buddy. To add a buddy to your IM account in Pidgin, perform the following steps:

Step 1. Click Buddies to activate its corresponding menu, and then select the + Add Buddy... item as follows:

The Buddy List menu with the "Add Buddy..." item selected This will activate the following screen:

The Add Buddy window Step 2. If you have multiple accounts, select the account that corresponds to the same messaging service as your 'buddy'. Note: Both your buddy and yourself must be using the same messaging service, even if he/she is not using Pidgin. You cannot add an ICQ or MSN buddy to a Google Talk account. However, you can register and use multiple accounts based on these supported protocols in Pidgin, whereby you may chat with one buddy over Google Talk and with another using ICQ or MSN.

Step 3. Type in your buddy's email address in the Username field. The following step is optional. Step 4. Type in an Alias or nickname for your buddy in the (Optional) Alias field, so that your Add Buddy form resembles the following screen:

An example of a completed Add Buddy form Step 5. Click to add your buddy.

Note: This will send a message to her/him requesting his/her approval or authorization of your buddy request, and will appear in her/his Buddy List as follows:

Terence's Buddy List displaying Salima as his buddy

At this point, your buddy must perform the following step: Step 6. Click follows: to add this person as your buddy and display her/him in your Buddy List as

The Authorize buddy request as it appears on Salima's Buddy List Note: In the example above, Salima's Alias or nickname is displayed, adding yet another level of identity protection.

How Your Pidgin Correspondent Adds You as a Buddy After you have added, authorised and confirmed your Pidgin chat buddy, he/she must now do the same with your IM contact information. This example shows how Salima will in turn add, authorize and confirm Terence as her chat buddy in Pidgin. After Salima has completed steps 1 through 3, her Add Buddy window appears as follows:

Salima's Add Buddy window Salima will then click to simultaneously add Terence as her buddy, and send an authorization request to Terence as follows:

The Authorize buddy request as it appears to Terence Note: If you place your cursor over a buddy in the Buddy List, an information pop-up message will appear as follows:

Salima's Buddy List window displaying Terence as her newly created buddy

How to Open an IM window in Pidgin To open an IM chat window in Pidgin, perform the following steps: Step 1. Right click your buddy's name in the Buddy List to activate a pop-up menu listing all the tasks you can perform as follows:

The Buddy tasks menu Step 2. Select the IM item from the pop-up menu to activate a typical chat window as follows:

A typical chat window in Pidgin

Now you are almost ready to chat with your buddy using Pidgin. First, however, you must configure the OTR engine to ensure that your chat sessions will be private and secure.

How to Re-enable an Account in Pidgin From time to time, you might find your Pidgin account has been disabled; perhaps your Internet connection has been interrupted, or your computer may have frozen. Both situations might result in your Pidgin account being improperly closed or shut down - and disabled. Fortunately, Pidgin offers a variety of ways in which to re-enable your account. To re-enable your account(s), perform the following steps:

Step 1. Click launch Pidgin.

or select Start > Pidgin to

Step 2. Open the Accounts menu, and then select the Manage Accounts item as follows: The Accounts menu with the *Manage Accounts item selected This will open the following screen:

The Accounts window displaying a disabled account Step 3. Click the check box next to your account to activate the Pidgin password prompt as follows:

The Pidgin password prompt dialog box Step 4. Type in your password so your own Pidgin password prompt dialog box resembles the following:

The Pidgin password prompt dialog box with the Enter password field completed Step 5. Click to complete re-enabling your account as follows:

An example of a successfully re-enabled account Step 6. Click to close the Accounts window.

Setting up OTR in brief
Now with both Pidgin and OTR installed
   

Select Tools > Plugins from the main window Enable Off-The-Record Messaging plugin and click the Configure button Select your account from the list and click Generate IMPORTANT NOTE! : Under “Default OTR Settings” select both require private messaging and Don’t log OTR conversations. This guarantees that you only have encrypted conversations and that you aren’t logging your past conversations. Remember that it is always possible for the person you are talking with to log the conversation. It is a good idea to ask whether that person logs OTR conversations.

Adding Buddies to your Contacts
 

To add a Buddy, from the main Pidgin window select Buddies > Add Buddy. Make sure to select your account and to spell your buddy’s username correctly when filling it in. You have the option of creating groups to categorize your buddies. Click Add. Once your buddies have been added and are available to chat they will appear in the main pidgin window. To start chatting double-click on a buddy’s username from the list.

 

Setting up an account with different domain
The XMPP server is part of your XMPP ID. For example, in the ID, would be the server to use. When entering your XMPP account information into Pidgin, specify everything before the @ (foo in the example ID) in the Username field and everything after the @ ( in the example) in the Domain field. Here is an example: with optional values in basic and advance tabs:

Optionally, set the local alias to be your name, and add an icon for yourself. Other people will see this icon on their jabber client. Do not check “Create this new account on the server.” This is not supported.
 

Connection security: Require Encryption (important!!) File transfer proxies:

(3) Click OK

Using OTR to Initiate a Secure Messaging Session in Pidgin

About Pidgin and OTR Both your correspondent and you must configure the OTR plugin before you can enable private and secure Instant Messaging (IM) sessions. Given that this OTR plugin was designed especially for Pidgin, it will automatically detect when both parties have installed and properly configured the OTR plugin. Note: If you request a private conversation with a friend who has neither installed nor configured OTR, it will automatically send a message explaining how they can obtain the OTR plugin.

How to Configure the Pidgin-OTR Plugin To enable the OTR plugin, perform the following steps:

Step 1. Double click or select Start > Programs > Pidgin to launch Pidgin and activate the Buddy List window in figure below. Step 2. Open the Tools menu, and then select the Plugins item as follows:

The Buddy List window with the Plugins item selected from the Tools menu

This will activate the Plugins window as follows: Step 2. Scroll down to the Off-the-Record Messaging option, and then click its associated check box to enable it.

The Pidgin Plugins window with Off-the-Record Messaging selected Step 3. Click to begin configuring the Off-the-Record Messaging windows.

Basically, there are 3 steps involved in configuring OTR properly to effectively enable private and secure IM sessions and they are explained below:

The First Step: This involves generating a unique private key associated with your account, and displaying its fingerprint. The next two steps involve securing the IM session and authenticating your buddies.

The Second Step: This involves one party requesting a private and secure messaging session with another party currently on-line. The The Third Step involves authenticating or verifying the identity of your Pidgin buddy. (Note: In Pidgin, a buddy is anyone you correspond with during IM sessions. This process of verifying a buddy's identity is known referred to as authentication in Pidgin. This means establishing that your buddy is exactly the person who he/she is claims to be.

The First Step - How to Generate a Private Key and Display its Fingerprint Secure chat sessions in Pidgin are enabled by generating a private key for the relevant account. The Off-the-Record configuration window is divided into the Config and the Known fingerprints tabs. The Config tab is used to generate a key for each of your accounts and to set specific OTR options. The Known fingerprints tab contains your friends' keys. You must possess a key for any buddy with whom you wish to chat privately.

The Off-the-Record Messaging screen displaying the Config tab Step 1. To optimise your privacy, check the Enable private messaging, Automatically initiate private messaging and Don't log OTR conversations options in the Config tab as shown in Figure above. Step 2. Click to begin generating your secure key; a screen notifying you that a private key is being generated appears as follows:

The Generating private key confirmation box Note: Your buddy must perform the same steps for his/her own account.

Step 3. Click generated:

after the private key (which resembles the following), has been

An example of a fingerprint of the key generated by the OTR engine Important: You have now created a private key for your account. This will be used to encrypt your conversations so that nobody else can read them, even if they do manage to monitor your chat sessions. The fingerprint is a long sequence of letters and numbers used to identify the key for a particular account, as shown in Figure above. Pidgin automatically saves and verifies your fingerprint, and those of your buddies, so that you will not have to remember them. The Second Step - How to Authenticate a Private Conversation Step 1. Double-click the account of a buddy who is currently on-line to begin a new IM conversation. If both of you have the OTR plugin installed and properly configured, you will notice that a new OTR button appears at the bottom right corner of your chat window.

A Pidgin messaging window displaying the OTR icon outlined in black Step 2. Click to activate its associated pop-up menu, and then select the Start private conversation item as follows:

The pop-up menu with the Start private conversation item selected

Your Pidgin IM window will then resemble the following screen:

The Pidgin IM window displaying the Unverified button Note: Pidgin automatically begin communicating with your buddy's IM program, and generating messages whenever you attempt to enable a private and secure chat session. As a result of this, the OTR button changes to to have an encrypted conversation with your buddy. , indicating that you are now able

Warning! Although this conversation is now secure, the identity of your buddy has not been verified yet. Beware: Your buddy might actually be someone else pretending to be your buddy.

The Third Step - How to Authenticate the Identity of Your Pidgin Buddy You may use one of three methods of identification to authenticate your Pidgin buddy; you could use 1). A pre-arranged secret code phrase or word, 2). Pose a question, the answer to which is only known to both of you or 3) manually verify the fingerprints of your key using a different method of communication.

The Secret Code Phrase or Word Method You can arrange a code phrase or word in advance, either by meeting each other in person or by using another communications medium (like a telephone, voice chat by Skype or a mobile phone text message). Once you both type “the same code phrase or word”, your session will be authenticated. Note: The OTR secret code word recognition feature is case sensitive, that is, it can determine the difference between capital (A,B,C) letters and lower case (a,b,c) ones. Bear this in mind when inventing a secret code phrase or word! Step 1 . Click the OTR button in the chat window, and then select the Authenticate Buddy item as follows:

The Unverified pop-up menu with the Authenticate buddy item selected This will activate the Authenticate Buddy window, prompting you to select an authentication method. Step 2. Click follows: and select Shared Secret as

The Authenticate buddy screen with the drop-down list revealed

Step 3. Enter the secret code word or phrase as follows:

The Shared Secret screen Step 4. Click to activate the following screen:

The Authenticate Buddy window for a fictitious correspondent

Note: At this time your buddy will see window shown on figure below at his/her end and will have to enter the same code word. If they match, your session will be authenticated.

The Authenticate Buddy window for a fictitious correspondent Once the session is authenticated, the OTR button will change to secure and you can be sure that you are really speaking with your buddy. The Question and Answer Method Another method of authenticating each other, is the question and answer method. Create a question and an answer to it. After reading the question, your buddy must type in the exact answer, and if their answer matches yours, your identity will be automatically authenticated. Step 1. Click the OTR menu in active message window to activate its associated pop-up menu, and then select Authenticate Buddy item. . Your session is now

A Pidgin chat window displaying the OTR icon An Authenticate Buddy window will pop up prompting you to choose the method for authentication.

Step 2. Click the drop-down menu and select the Question and Answer item as follows:

The Authenticate buddy screen Step 3. Enter a question and its corresponding answer. This question will be sent to your buddy.

The Questions and Answer screen If your buddy's answer matches yours, then your identities will have been mutually authenticated or verified, and both parties are who they claim to be!

Once the session has been authenticated, the OTR button will change to will now be secure and you can be certain of your chat buddy's identity.

. Your session

Notice that when you Select > Buddy List > Tools > Plugins > Off The Record Messaging > Configure Plugin, the Known fingerprints tab now displays your buddy's account, and a message that their identity has been verified.

The Off-the-Record Messaging screen displaying the Known Fingerprints tab Congratulations! You may now chat privately. The next time you and your buddy chat (using the same computers), you can skip the first and third steps, above. You should only have to request a secure connection and have your buddy accept it.

How to Create a Google Talk Account
How to Create a Google Talk Account To create a Google Talk account (which uses the XMPP communications protocol), you must first create a Gmail account. To create a Gmail account, perform the following steps: Step 1. Open your Internet browser, and type into the browser address bar to activate your local Google home page:

An example of a Google Home page Step 2. Click the Gmail link (outlined in black), as shown below:

The Google Home page menu bar with the Gmail link This will activate the following screen:

The Gmail account home page Step 3. Click to activate the following screen:

The first half of the Create an Account page Note: The Get Started with Gmail form is too long to be reproduced in its entirety, and is divided into two basic sections in this example. As usual, the less information you volunteer, the better the privacy and security of your email communications!

Step 4. Type in the information required into the First Name, Last Name and Desired Login Name text fields. For reasons of anonymity and confidentiality however, these should not correspond to your actual first and last names. Step 5. Click to see if your desired log-in name is available. If it is not, you may have to invent something a little more original! Important: As you may have noticed, the Stay signed in and Enable Web History features are automatically enabled whenever you attempt to create a new account. However, both these features can also compromise your on-line privacy and security, by allowing Gmail track your on-line habits. Step 6. Disable the Stay signed in and Enable Web History check boxes as shown in Figure above and continue with the account creation process.

The second half of the Gmail Create an Account form Step 7. Select a question from the Security Question drop-down list, and then type in a random combination of letters and numbers in the Answer text field, and leave the Recovery email text field blank as shown in Figure above. Step 8. Select a country listed in the Location drop-down list which corresponds to your current location. Note: A further level of anonymity is possible if you have the opportunity to create a Gmail account while you are living in or travelling through a country that is not your country of origin or permanent residence.

Step 9. Type in the distorted word in the Word Verification field to confirm that a human is creating this account! Step 10. Click and activate the following page: to accept the Google Terms of Service,

The Introduction to Gmail page Congratulations! You have now created a Gmail account as well as a Google Talk account after completing the minimum required text fields, and by not offering superfluous or unnecessary information. Now that you have a Google Talk account, you are ready to register it to Pidgin. After you have done registration, you may return to the following section to learn about enabling a secure connection.

How to Enable a Secure Connection
Users who register and use Pidgin with a Google Talk, IRC, SILC or an XMPP compatible service, may configure Pidgin to use a secure channel or connection, otherwise known as the Secure Socket Layer (SSL) or Transport Layer Security (TLS). To configure an SSL or TLS connection, perform the following steps:

Step 1. Click

or select Start > Pidgin to launch Pidgin, and activate the Buddy List.

Step 2. Open the Accounts menu and select your account to activate its associated sub-menu, and then select the Edit account item as follows:

The Accounts menu displaying a Pidgin account with the Edit account item selected This will activate the Modify Account window, and display the default Basic tab as follows:

The Modify Account menu with displaying the default Basic tab Note: If you already have a Gmail account, registered to Pidgin, the Modify Account window will appear as shown in Figure above.

Step 3. Click the Advanced tab to configure it as follows:

The Modify Account screen displaying the Advanced tab Step 4. Select the Use old-style SSL to automatically enable a secure channel over which your messaging session can take place. Step 5. Type into the Connect server text field. Step 6. Click to save your settings, and then click the Proxy tab as follows:

Step 7. Select the Use Global Proxy Settings item if this is not the default setting, and then click to enable a secure connection between your correspondent and yourself. The Modify Account screen displaying the Proxy tab

Secure pidgin for Linux
On GNU/Linux, you should secure your pidgin using these steps:
 

copy usr.bin.pidgin to /etc/apparmor.d/usr.bin.pidgin restart apparmor sudo /etc/init.d/apparmor restart

restart pidgin

Additionally, you may wish to enable OTR.

Jabber Clients
Jabber is an XML-based instant messaging system. Jabber software is available for most operating systems and allows user access to other instant messaging services. Jabber is an open source application overseen by Some jabber clients will ask for your username and domain separately. In this case, you would specify:
 

jabber username: username jabber domain:,, or any other domain

Here is some jabber clients.

Features to look for
 

OTR is used for encrypting messages end-to-end for a high level of security. Jingle support allows a client to be used for voice or video chat.

Recommended clients Client Supported OS OTR Jingle Comments Support? Support? Yes Open source. Stable and easy to use.

Empathy GNU/Linux No


Windows, Yes GNU/Linux

Yes (Linux)

Open source. Stable with many features.





Open source. Good native build of Pidgin for Mac.

Beem (https)




Open source. Stable native android app. Does not support group chats. Open source. Stable client with many plugins.

Miranda Windows



Using Riseup’s jabber service
Your email address also serves as your jabber address. For someone to send you a jabber message or buddy request, they just need to send it to In order to configure a jabber client, you need this information:
  

protocol: jabber (XMPP) jabber account: password: your Riseup password

It is very important than you configure your client to always require encryption. Some clients have a setting “encryption if available”. Even though the servers require encryption, if your client is configured to use “encryption if available” an attacker can easily acquire your password. Some jabber clients will ask for your username and domain separately. In this case, you would specify:
 

jabber username: username jabber domain:

For added security For added security, access Riseup jabber server via the Riseup VPN or this Tor hidden service: ztmc4p37hvues222.onion

Tor with Pidgin configuration To configure Pidgin to use Tor, you need to modify your account settings as follows: First chose Modify Account Settings…

Then click the Advanced tab… put the Tor .onion address in for the Connect Server field. Then click on the Proxy tab…

Set the proxy type to be Socks5, set the host and port as shown in the image, and set your username and password.

About Adium

Adium is the recommended jabber client for Macs. It is open source and supports OTR for endto-end message encryption.You can download Adium from

Configuring an account
(1) Adium menu > Preferences menu item > Account tab (2) Click plus icon in bottom left, and select Jabber.

(3) In the Account tab, enter your Riseup email address and password.

(4) In the Options tab:
 

For file transfer proxy, specify Make certain that Require SSL/TLS is checked.

(5) Click OK Tor with Adium configuration To configure Adium to use Tor, you need to modify your settings as follows: First add a new Jabber account by going to File, then Add Account, then Jabber…

Then fill out the account options with your Riseup username and password… Then click the Options tab and make sure it matches the following…

Then chose the Proxy tab and fill it out as follows…

Other clients
Client Supported OS OTR Jingle Comments Support? Support? No No Open source. Nice stable windows jabber client. Open source. Stable native application. Open source. Anyone tried it? Written in Java. Open source. Secure, but buggy. Does not support group chats. Apple’s built-in chat application has support for jabber, but to a limited degree.

Pandion Windows


Mac, Windows, No GNU/Linux Mac, Windows, Yes GNU/Linux Yes




Gibber Android






iChat is an instant messaging application that makes it easy to stay in touch with friends and family using text and video.* iChat works with AIM, the largest instant messaging community in the U.S., which means you and your buddies can use AIM on a Mac or a PC. IChat works with other services including Yahoo! too. Most Mac computers include a built-in FaceTime or iSight camera and mic. When you use them with iChat, you can have high-quality video and audio chats with your friends and family.
Chat with just one person or make it a party by starting a multiway chat. If you use a wide aspect ratio screen, iChat AV uses patented anamorphic resizing techniques so that the video of the person you're chatting with fills the entire screen without distortion.

Configuring iChat

(1) IChat menu > Preferences (2) Click the plus icon to add a new account (3) Fill in these values
  

Account Type: Jabber Account Name: Your Riseup email address. Password: Your riseup password. Primary Riseup Account: This login and password is used for email, VPN, and jabber. Your settings can be changed at Leave the default server options.

IMPORTANT: if when you are connecting, you get an error asking you if you want to send your password unencrypted, do not proceed!

Mailing List Account: If you are subscribed to any mailing list at , you have a mailing list account. Your settings for this account can be changed at . Groups Account: If you use , your account for this website is independent of your primary Riseup account or your list account. In the future, we will merge the Groups accounts and the Primary accounts.

Clients to avoid
Client Supported OS OTR Jingle Support? Support? Yes Comments Open source. Currently insecure, please avoid. Written in Java. Open source. Nice jabber client written in python, but currently there is no way to ensure a secure connection.


Mac, Windows, Yes GNU/Linux No

Windows, Gajim GNU/Linux


Adding Skype Contacts to Pidgin IM on Windows, Mac, or Linux

VoIP calls to other VoIP users are generally free of charge. Some programs allow you to make inexpensive calls to normal phones as well, including international numbers. Needless to say, these features can be extremely useful. Some of today's more popular VoIP programs include Skype, Jitsi, Google Talk, Yahoo! Voice, and MSN Messenger. Normally, voice communication over the Internet is no more secure than unprotected email and instant messaging. Skype offer encryption for voice conversations, and then only if you are calling another VoIP user, as opposed to a mobile or landline telephone. In addition, because Skype application is not open-source, independent experts have been unable to test it fully and ensure that it is secure. Note: there are tools (but not recommended) For encrypting communication using yahoo messenger or windows live messenger ( MSN): first is BitDefender Chat Encryption BitDefender Chat Encryption keeps your instant messages safe from hijacking through a simple and automatic encryption process. This tool delivers IM privacy in a snap by securing all your communications via Yahoo! Messenger 8 and Windows Live Messenger 8.5. Another tool is SimpLite. SimpLite-MSN prevents eavesdroppers from reading your MSN Messenger conversations. SimpLite-MSN is free for personal use at home or at the office These software are free only for home users and their source code not available to anyone.

You’ll need to install Skype if you don’t have it already. Make sure to pay attention to the Skype installer and uncheck any extra software it tries to install if you don’t want it.

To add Skype to Pidgin, first make sure you’re closed out of it, then install the Skype API Plugin for Pidgin from by Eion Robb. It also works for Adium for Mac ( )too. The plug-in is free and open source under the GNU Public License. After you have everything installed, open Pidgin, click Accounts, then Manage Accounts

In the screen that comes up click the Add button

Now when you click the Protocol dropdown list, you’ll see Skype is included in the list. Enter in your Skype Username…a local alias if you want, then click Add.

For this plugin to work, you need to have Skype running at the same time. Click the Advanced tab and make sure Auto-start Skype if not running is checked. This will save you the step of having to launch it manually.

A dialog will open asking if you want to allow Pidgin access to Skype, click the Allow Access button.

Then a screen comes up asking if you want to confirm silent mode and gives you the details of confirming it. This setting is up to you, and if you don’t want to see it every time you launch Pidgin check Do not ask me again

Now you can IM with your Skype contacts through Pidgin…very cool! When you receive an IM through Skype, you’ll still get the normal notification sound and flashing Skype icon on your Taskbar if you have it enabled.

Secure chat with Skype: cryptochat4skype
Crypto ensures maximum privacy by generating a key for each pair of users. Chat messages will look like a bunch of random numbers in Skype, but they will properly display in CryptoChat 4 Skype. 1-First grab cryptochat4skype from 2-You can run your Skype (install version or portable) and then run your appropriate version of cryptochat4skype on your windows. Old version needs Net framework 2 and new version (for all windows 86/64) needs Net framework 4. Notice: If crypto software can’t connect to the web, adjust your firewall settings to make a stable connection with this software. If everything goes well, you enter crypto successfully. 3-select the contact with whom you wish to have secure chat. 4- You will now have to generate a unique key. 5- Send the key to your Crypto/Skype buddy using Cryto’s webserver stream mechanism. Keys can even be sent using Email, Snail mail method. (I would recommend using the webserver stream mechanism)

6- Once both the parties have exchanged their keys, they can start the secure chat.

Mobile Instant Messaging over Tor

You can find BEEM in the Android Market or you can download it here. the goal of BEEM is to provide a full featured and easy to use Jabber client on Android. Jabber is another name for XMPP, the Extensible Messaging and Presence Protocol, which is another name for Instant Messaging and Status Updates. Beem, available as source code and in the Android Market, is a great looking, highly functional IM application that supports a number of advanced options including SSL/TLS support and SOCKS Proxying. These two features make it ideal for use with running over the Tor anonymity network and Orbot. By combining Beem with Orbot, mobile instant messaging can be more private (even anonymous if one chooses), usable without fear of eavesdropping by network operators, and made accessible in places where filtering technologies blocks access to popular instant messaging services. 1) Connect to the Tor network using the Orbot app First, if you do not have Orbot installed, first download it from the Tor Project from here . The Orbot app contains an HTTP and SOCKS proxy server which allows any Android app to proxy its network traffic through Tor. By installing and activating Orbot (tap on the big power button!), this proxy server is activated and runs in the background as long as you are connected to the Tor network.

2) Configure your XMPP-compatible account using Beem settings If you don’t have BEEM installed you can download it from here You can use any XMPP service, but we recommend one that supports TLS or SSL security. You can use your Gmail / Google Talk account or you can find a list of public services here:

3) Check the SSL/TLS option in the Advanced Menu You must enable this option to protect your password and chat communications when they exit the Tor network. You can learn more about exit node eavesdropping on the TorFAQ from here onsIsntthatbad

4) Enable the SOCKS Proxy Setting in the Proxy Menu The “Use a proxy server” should be checked, the Protocol set to “SOCKS5″. The Server is “localhost” and the Port is “9050″. You must use the SOCKS5 protocol, as it ensures that domain name resolution is also routed through Tor, stopping from someone snooping on which chat service you are using.

5) Connect to the XMPP Service If Orbot is connected, and you have configured the proxy settings correctly, you should be able to connect and see your contacts or buddy list. From here, you can use Beem as you normally would IMPORTANT: To ensure Beem is routing through Tor, you should deactivate Orbot, and then try connecting to your XMPP service with Beem again. This SHOULD fail, else you haven’t setup the proxying correctly.

6) Chat away! At this point, you should be happily chatting away with your buddies. It is important to note that this solution DOES NOT provide end-to-end encryption, so once your chat reaches the server, it is not secure, both because the service provide can view it if they choose, and the other members of your chat may not be secured themselves.

Mobile Phone Security
Most people have mobile phones today. In the past these devices were primarily used to call and send text messages. In addition, all mobiles have at least an ability to keep an address book. There is a new generation of mobile devices that come with Internet access, built-in video cameras and the ability to install additional software. These smart phones can be very convenient and provide you with very powerful and useful tools. These phones contain a lot of private data and, unfortunately, a phone can be lost easily. The following chapter deals with some methods to use them more secure.

Security issues with mobile phones
Physical security - A phone can be confiscated or stolen. If you are a journalist, your address book might be of special interest: it can be used just to gain knowledge of your network or for further social engineering. As a minimum safety measure you should always enable some kind of password protection on your phone (not just on your SIM card). Voice - Although the voice on a GSM (mobile phone) channel is encrypted, this encryption was hacked some time ago and is not considered safe anymore. Furthermore, if you do not trust the network(s) you are using it has never been safe. Normal VoIP communications are very insecure as they are not encrypted. Some other VoIP services use some kind of encryption. SMS - Text messages are sent in plain text over the network, so they are also not considered secure, additionally they are not securely stored at your device, so anyone with access to it will be able to read them. If you are using an Android based phone read the chapter on 'Secure Text Messaging' Smartphones - Smartphones are quite new and unfortunately most advanced (and even some basic) ways of securing that are available on normal computers are not available on Smartphones. They pose additional risk since you are also using them for things like agendas, and personal note taking. Also not all applications in an appstore or market are safe to use, because there are a considerable number of malware apps on the market which are passing your personal data to other companies. You should always check if the app's you want to use can be trusted. Internet on your mobile device is subject to the same problems as all wireless communications. Read the chapter on VPN for mobile devices to improve this. Prepaid SIMcards - In some countries you are still able to use prepaid locally bought SIMcards without identifying yourself. Beware that your phone also has a unique identifier (known as the IMEI number) so switching SIM cards will will not guarantee to protect your privacy. Note that mobile phone security in particular is developing very fast and users should check out the current status of premier open source efforts like the Guardian Project (

More about Mobile phone security and threats

A cellular phone is a small computer consists of: a) The battery: taking out a battery as a main power supply is not good enough to stop listening / tracking device. Some models carry secondary, slimline batteries to keep some functions going. it is possible to monitor a mobile phone even when it is turned off. See for example this news story: Note: a small RFID chips on your passport or an ID card can use radio-frequency electromagnetic fields as a power to transfer your personal information to the target. Better to avoid any chips or use them in a faraday c , b) The SIM card: it is a small chip can easily removed from the back of most phones c) The phone itself: it is small computer that can performs many things: voice recording by microphone and taking photo with camera and many more. Each phone has its own serial number called the IMEI number. This can be changed, but in some countries such as the UK has been made illegal. There is a lot going on in a phone that we might not have a clue about. One such feature of various Nokia phones is that they are easily adapted to be turned on remotely without alerting anyone. So your enemy can turn it on remotely to hear what is being said nearby. Signals can be sent to particular phones, prompting the owner to apply security patches, updates, etc, but which actually install malicious software [“malware”] instead, thus putting the phone under the control of a third party. A simple bit of malware is one that monitors the phone’s address book, providing the interloper with its details and then notify when it has been updated. For ordinary mobile phones with basic functions, this is not a significant problem; for more sophisticated phones that permit access to emails and internet it is a much greater risk. Different phones offer other features which can be used against the campaigner – a good example is GPS systems which allow accurate positioning of phones and thus their users/owners As your phone receive strongest signal from the nearest mast, so your location will be recoded. Your cell phone at your car may cause your radio speakers to emit a hissing sound as it sends its location to nearby masts as it changes from one cell to another. Locating a phone in a particular cell gives the network a rough geographical location of the phone’s position. If there are several masts in an area and they all pick up a signal from a mobile phone, then triangulation techniques can be used to pinpoint the location of the mobile phone more accurately. The higher the density of masts the easier it becomes, so in a city this technique is far more accurate than in the countryside.

Two good places to confuse the system could be directly underneath a phone mast or on a motorway. The tracking system mentioned above is usual in Europe and U.S.A and it is lawful for emergency services to trace the location of a mobile phone and now this feature is being turned into a commercial application to track employees, children and even you. However, this is simple enough to circumvent if they are not in possession of the phone for the length of time‐ , Some companies are now offering services which allow you to specifically listen in to other peoples phones, for example It is now legal in many countries to demand networks to keep logs various bits of information such as the SIM and IMEI numbers, the location, duration of the call, the contents of any text messages at least for some months. Another possible threat to mobile phones is to set up computer as a relaying station to emulate a mast. If it is close enough to the target mobile phone, the phone will route its communications with the network through it without realizing anything is amiss. The person in control of the router then has access to everything been sent, including the conversation and numbers. This means that agencies other than the state can also tap mobile phones if so desire. If everyone goes to a meeting place then turns off their phone that is a clear signal that something is up in that area. Likewise, if one person is being tracked to a meeting place, those monitoring them can see if other phones in that cell are switched off at the same time, thus giving them insight into the potential network of individuals associated with their target. Similarly at a meeting, knowing the phones there can be use identify the individuals present. It does not even have to be a meeting – it can be the fact that you’ve visited someone’s house so making a connection between the two of you. From another angle, if a selection of known phones appears in the same cell or nearby cells and then get turned off it is an indication that something is taking place So The best solution is to leave your phones at home and treat with your cell phone with all the circumspection you do with landlines.

What should I do? Purchase pay‐as‐you‐go phones in a secure manner and avoid registering them in your name -Change your phone number and phone on a regular basis. - Turn off all phones. - Place in a box in another room. - Remove batteries. - Turn off before well before getting to the meeting place. - Leave at home altogether. - Give to someone else to take elsewhere. - create a network of phones that are not linked into any other networks. This is known as “closed network” and has been used effectively . If the risk associated with being caught is great then it is worth investing in a set of phones to create a closed network solely for that action and following the guidelines set out below: 1-purchase simple phones without all the extra features far from where you live, be careful not to expose CCTV. better to wear nondescript clothes, baseball caps, etc and pick smaller shops 2- pay with cash and do not give real details if asked. In some countries proof of ID is not actually required. 3- Do not register the phone if you do not have to, or else give fake/alternative details, preferably the same ones you have given the retailer. 4- Burn all packaging. Most packaging carries various bar codes that permit a particular phone to be associated with it and thus where it has been sold, etc. 5- Ensure that none of the phones in the network are used to ring any of your friends or contacts, or indeed any phone outside of the network. Once this happens the network should be considered compromised and the phones disposed of (sold on/trashed). 6- Keep the battery out when the phone is not required for use. 7- Keep the SIM card out when the phone is stored, preferably in a separate place from the rest of the phone; important in case there is a raid. 8- Never turn the phone on in your house, office or regular meeting places as it will immediately be associated with that place, especially if it is the first location turned on in. If you suspect your car is under surveillance then avoid using the phone in or near it. 9- Avoid patterns of phone use. 10- When making phone calls avoid areas where there is CCTV. 11- Avoid spending longer than 30 minutes in one area when using the phone. 12- Don’t hesitate to get rid of a mobile if it is starting to come too hot 13- It is sufficient to remove the SIM card to hide your trace A problem with this is that there maybe secondary batteries in some phones, buried inside the hardware. 14- Make your calls encrypted over IP. 15-if you suspect someone has installed something on it, one way around it is to wipe it clean of all software and start again from scratch, or less drastically, reset it to factory settings. Details on doing this can often to be found though a Google search:

Secure Text messaging
Sending SMS (text) messages is considered insecure, not only do they travel unencrypted through the phone network, they are also saved on your phone where someone might see them. If you are using an Android based smart phone there is a neat free tool to fix both issues; TextSecure. TextSecure uses a password to save all your messages (sent and received) encrypted to your phone, and it also enables you to securely SMS with other people using TextSecure. Remember that if you have sent an SMS to someone that is not using TextSecure it will still be unencrypted on their phone and over the network. Geek info on how TextSecure works SMS communication using TextSecure is encrypted using the Off The Record (OTR) encryption protocol. OTR is specifically designed for chat messaging, it provides session based encryption and authentication, but on top of that it provides deniability, something protocols like PGP do not provide. Installing TextSecure TextSecure can be installed using the Market App on your phone. Either search for 'TextSecure' in the market, or use the QR code on this page with the Barcode Scanner. After you have acknowledged the permissions and installed the app, you are ready to start it, as soon as you do so you are confronted with the "End User License Agreement", press accept to continue. A new pop-up telling you this is beta software will appear which you have to acknowledge too.

TextSecure uses a password to encrypt the text messages on your phone. Be careful to choose a strong password you can easily remember (for more information look at the section on using secure passwords), if you lose it you will not be able to read any of your old messages. To be sure you entered it correctly you have to enter the password twice. The next step is to tell if you want the messages already stored on the phone to be copied to the TextSecure database; if you choose "Copy" here you will be able to secure your old messages by deleting them from the system database later.

After this step you are ready to use TextSecure to send unencrypted messages. If other people also use TextSecure this is automatically detected, it will then present you with the option to send them your key. Exchange keys is needed to get full end-to-end encryption. This process is described in the next steps. It is also possible to manually start this process by clicking the menu button and choosing the option "secure session

after these steps your communications are secure, but you have not acquired a trust relation, put in other words, the channel is secure but you are not entirely sure who you're talking to. So keeping that in mind, the next thing to do is to verify that you are indeed talking to the right person (a sender's phone number can be easily forged, so you need a more secure way to check the identity). In the conversation window press the menu button and select "Secure Session Options". In the window that appears select "Verify Recipient Identity".

The following window shows your and theirs identity fingerprint. You can for instance call them and check if the keys are correct. If you happen to be close together to set this up, TextSecure also allows you to use your Barcode scanner to check the keys. To start this, select compare and follow the instructions. If you are done verifying using any of the other methods, select "Verified!" and select OK in the next screen. A Save Identity popup appears, usually the name is already filled in correctly and you can just push the "Ok" button twice to start your authenticated messaging.

You can see that this messaging has been verified because the lock icons in the left corner and next to the messages are not red colored. These messages are encrypted and authenticated.

This is the right moment to look at the various configuration options that TextSecure comes with. Most of them are self-explanatory. Security wise it might be a good idea to look at the setting for the Passphrase timeout interval, and set it to a lower value according to your situation. If the timeout interval expires, and you want to few your messages again, TextSecure will ask for your password.

These are the basics of TextSecure. If you like the application we advice you to replace the messages application link on your phone's homescreen. This way you won't mix the TextSecure and normal Messages application

Mobile networks Mobile networks are increasingly popular means of disseminating and accessing uncensored information, partly because of their high penetration rates in countries where the costs of owning a computer or a private Internet connection are prohibitive. Because many mobile carriers are not ISPs, their networks may not be affected by regulations in exactly the same way. However, these networks are usually easier to monitor and are frequently subject to extensive surveillance. Activists in several countries have used their phones and free, open-source software such as FrontlineSMS ( to manage short message service (SMS) campaigns and bridge SMS technology with microblogging services, such as Twitter. A computer running FrontlineSMS and connected to the Internet can serve as a platform for others to post information to the Internet through their cell (mobile) phones. Mobile networks can also be used with alternative devices. Amazon's Kindle 3G e-book reader, for example, comes with free international mobile roaming, which allows free access to Wikipedia through the mobile network in more than 100 countries.

Secure voice communication
When calling another person with your mobile phone, your communication can be monitored on multiple places. Governments all over the world have regulations which allows tapping of phone lines, this includes mobile phones. If you think your phone is tapped and your need a secure phone communication, it is worth looking into voice encryption. There are vendors who offer mobile phones with voice encryption, but if your phone's hardware or firmware does not allow you to encrypt the normal voice calls, you can still use your data connection to send and receive encrypted voice data. The standard method for this is called the "SIP"-protocol. SIP is built-in in business Symbian-Phones and the N900 and available for Android Phones. SIP calls might be encrypted, but generally are not; this is a decision mostly of your SIP provider who has to support it. Currently there are two convenient solutions for secure calling (one of them only on Android Phones). Both use the data connection of your (smart) phone, which means that you either need to be connected to a Wi-Fi network or have a payable and reliable 3G connection ready.

Skype Skype is a very well-known voice application. Skype uses encryption for the whole path of the voice communication. Although the encryption seems to be reasonably good, Skype is not open about the technology they use for this. Its unknown if (some) governments have access to it or not. It seems to be safe for most countries and at least safer than using normal phone communication. Because of the popularity of Skype and the fact mobile phone operators are loosing call-minutes, unfortunately some operators are blocking the use of Skype. Depending on the phone you use, Skype might consume a lot of battery power. Keep this in mind when using Skype and are low on energy. RedPhone RedPhone is an application available only on the Android platform. It establishes a voice connection by mediation through the RedPhone vendor's servers, so they are able to log every call you make with the RedPhone software. RedPhone is very convenient to install on Android Phones. It's available from the Android Market. After installing it will use your normal phone contacts. It also has the ability to upgrade a phone call to an encrypted one while calling. The main advantage of RedPhone over Skype is the way how it's integrated in your normal phone behavior and the way it setups communication. It does not use a lot of battery power in standby. A big disadvantage is its sound quality, which is not so very good; another big disadvantage that really limits its use is that the software is only available for android. RedPhone needs a data-connection (Wi-Fi or 3G) to operate. Other methods There are some other methods using VoIP encryption. Most of these applications need a proper setup by a VOIP provider and are therefore not covered by this manual. Mostly VOIP connections are insecure if not explicitly stated otherwise. 1. Skype uses variable bit encoding which might leak information about the phrases spoken. See explanation and alternative encryption at

TorChat: extremely strong anonymity with encryption
TorChat is a peer to peer instant messenger with a completely decentralized design, built on top of Tor's location hidden services, giving you extremely strong anonymity while being very easy to use without the need to install or configure anything. TorChat just runs from an USB drive on any Windows PC. (It can run on Linux and Mac too, in fact it was developed on Linux with cross platform usability in mind from the very first moment on, but the installation on other platforms than Windows is a bit more complicated at the moment) Tor location hidden services basically means:
 

Nobody will be able to find out where you are. If they are already observing you and sniff your internet connection they will not be able to find out o what you send or receive (everything is end-to-end encrypted) o to whom you are sending or receiving from o where your contacts are located

General information about Tor
 

official site of the Tor project : Tor Hidden Services :

The Tor binary which is bundled with TorChat is taken from the official Tor- installer. You can binary compare the tor.exe with the official one to verify this or replace it with your own version of tor.exe if you like. A rewrite of the torchat protocol was created in the beginning of 2012, called jTorChat in googlecode. Containing the latest Tor.exe, it is meant to emulate all the features of the original TorChat protocol, as well as extending the protocols for jtorchat specific features. Filesharing while implemented in the original torchat is not yet implemented in jtorchat. A new capability in jTorChat is the broadcast mode, which allows for a user to send messages to everybody in the network, even if they are not in their buddylist. Also buddy request mode is implemented, which allows for a user to request a random user in the jtorchat network to add them. At this stage jTorChat is designed to work effectively in windows without any configuration, however since its written in java, it can run on any platform with tor with some configuration.

In TorChat every user has a unique alphanumeric ID consisting of 16 characters. This ID will be randomly created by Tor when the client is started the first time, it is basically the .onion : address of a hidden service. TorChat clients communicate with each other by using Tor to contact the other's hidden service (derived from his ID) and exchanging status information, chat messages and other data over this connections. Since Tor hidden services can receive incoming connections even if they are behind a router doing Network Address Translation: , TorChat does not need any Port Forwarding: to work.

Encryption All TorChat traffic is encrypted end-to-end. There are some misunderstandings floating around regarding Tor and encryption. Whenever I mention Tor and encryption in the same sentence the immediate reflex response of many people is: "But Tor provides no encryption!" This statement is true for most applications but not for all. The most commonly known usage of Tor is to use it as an anonymizer for traffic between the anonymous user and a publicly available service in the Internet and while the traffic will travel encrypted through the Tor network it MUST at some point leave the Tor network and enter the unencrypted internet to reach its final destination. This is the origin of the above mentioned "Tor provides no encryption" and it is undoubtedly true for this most widely known and practiced application of Tor and users should understand it. However, there exists another and less commonly known mode of operation in which two Tor clients can initiate a fully encrypted peer-to-peer connection between each other that will not leave the Tor network at any point! This is what TorChat is using. Both clients build a normal 3 node circuit from each end to some random tor node in the middle to "meet" there and connect their circuits with each other. Upon connection another layer of encryption is established reaching through from one client to the other, building one uninterrupted encrypted tunnel through all 6 nodes between the two end points. This means all TorChat traffic is end2end encrypted. There are no exit nodes involved in this mode, at no point other than yours and your buddies own computer will the traffic ever leave the Tor network. This less known Tor mode is called Tor hidden services; you can read more about it on the above link. It effectively allows true hidden peer-to-peer networks, there are just not many softwares that make any use of its peer-to-peer capability, most use it more in a traditional clientserver manner, TorChat is one of the few (and at the moment I don't know of any other).

Authentication TorChat buddies authenticate themselves by proving that they are reachable though their .onion address. The Tor hidden service protocol by itself has no built-in authentication mechanism for incoming connections but it can guarantee that when you initiate an outgoing connection to a given .onion address you can never end up at the wrong counterpart, the one who answers the connection is the one who is in possession of the private key belonging to this address (the private_key file in the hidden_service folder). Therefore TorChat will not trust any incoming connection and instead immediately try to open an outgoing connection to call back any incoming buddy on the address he pretends to be. A random cookie will then be sent out by both clients on their (trusted) outgoing connection that must be correctly answered on the incoming connection. Only after the answer is found to be correct the incoming connection can be trusted, the status of the buddy will be displayed as online and incoming messages from this buddy will be accepted. It is essential that you don't lose the private_key file belonging to your ID because the one who finds it will be able to pretend to be you. Using a tool like TrueCrypt is a good idea when you intend to use TorChat on a portable USB drive as these devices can easily be lost or stolen.

Installation Windows There basically is no need for any installation or configuration. It just runs out of the box, all batteries are included. Download and unzip the complete archive to somewhere on your harddisk or USB-Drive. The program is inside the folder "bin". Just doubleclick the blue earth symbol named "torchat" or "torchat.exe" to start the application and you should be online soon. See below for more detailed instructions on the usage. If you update from an older version then do the following: Make sure both versions are not running and then copy the following three files from your old version over to the new version into the exact same locations:
  

bin\buddy-list.txt bin\Tor\hidden_service\hostname bin\Tor\hidden_service\private_key

Now start the new version, make sure it is running and if everything is OK you should completely delete the old version.

buddy-list.txt contains the buddy list (obviously) and the two hidden service files are your TorChat ID (don't ever let these files come into the hands of anybody else, whoever owns these files would be able to pretend to be you!) Linux The .deb package depends on python (>= 2.5, << 3.0) and python-wxgtk2.8 (aka wxPython) and tor. These should be easily satisfiable by any standard Debian or Ubuntu distribution, even older ones. Just make sure you have the latest official python from the 2.x branch installed, torchat will then find the correct version. Download the torchat-x.x.x.x.deb package and do sudo dpkg -i torchat-x.x.x.x.deb Where x.x.x.x should be replaced by the current version number. After that you can start it from the commandline with the command torchat or from the start menu of your desktop environment. On non Debian based distributions make sure you have the above mentioned dependencies installed, then download the source distribution of TorChat, unzip it somewhere into your home folder and just execute it from within the src directory with the command python2 Or on older systems: python2.7 Or python2.6 but do not try to run it with python 3.x, I have not yet made it compatible and Python 2.7 will still be around for a long time. you can also try to use the tool alien to convert the .deb into an .rpm package and install it on a RedHad based system (untested, but I don't see why this should not work). A package for Arch Linux has been made available here:

It doesn't work? Please check the following list of things that are often done wrong:

 

Your firewall is blocking connections of tor.exe and torchat.exe: You must allow these two applications to open listening sockets and connect each other on and also allow tor.exe to open outgoing connections to the internet. You somehow managed to crash it and somehow an instance of tor.exe is still running. Kill it all with the task manager and try again. Normal is: two processes of torchat.exe (a very small one and a bigger one) and one process of tor.exe, everything else is not normal. You are trying to run two copies of it on the same computer at the same time. This will not work! (It can be made to work but it needs some advanced configuration tweaks) You started a copy of it with the same ID on a different computer at the same time. This cannot work. Never! You can use each ID only once at the same time, it’s strictly one-toone connections, not one-to-many. To get a fresh ID you can either unzip a fresh copy from the download archive or delete the contents of the hidden_service folder.

Usage This is how it should look like:

You will see a window with your contact list. One of the contacts is labled "myself". This 16 numbers and letters are your unique address inside the Tor-Network, this (myself) contact is always there and cannot be deleted. Wait a few minutes until the icon becomes green. Give this address (your TorChat ID) to your friends so that they can add you to their list or add your friends address to your list. It all basically behaves like you would expect from an instant messenger.

After starting TorChat it can sometimes take up to 15 Minutes until you will become available. If you see a blue ball next to one of the contacts this means it is in the middle of the conection handshake (it has already connected and is now waiting for the contact to connect you back). It should be less than a few minutes in this state and then be fully connected. If it does not go away for a long time for some of your contacts but others on your list work this might mean that they have some configuration problem or an outdated version, if you cannot see your own (myself) contact coming online then the problem is on your side. As soon as the myself-contact is green you know for sure that your TorChat is fully working! You can run TorChat from an USB-Drive and no matter where you are, you always have the same address as long as you don't delete the files in the folder bin\Tor\hidden_service. The contents of this folder are your key. They must always be kept secret. If someone wants to impersonate your identity he must and will try to steal the contents of this folder from you. Keep this always in mind. It would probably be a good idea to use TorChat in conjunction with something like TrueCrypt, KeePass or at least a password protected USB-Drive to protect your key file. China All known entries into the Tor network (including most known bridges) are currently blocked in China, this means you need a friend outside of China who runs a private (unpublished) bridge. A bridge is basically just an ordinary entry node with the exception that it does not show up in the public list of Tor nodes. The bridge should be unpublished because they cannot block something they don't know about. A published bridge would be blocked 1-2 weeks after it has been published and then it would be worthless. bridge The helping friend needs to setup a Tor node with the following configuration: SocksPort 0 ORPort 443 BridgeRelay 1 Exitpolicy reject *:* PublishServerDescriptor 0 The last line is important to make it more robust against the Chinese censorship: The existence of this bridge will not be published anywhere, so it is not easy for them to learn about its existence. The port 443 is chosen because it is the same as https which is an extremely common and unsuspicious port and also the tor traffic looks exactly like legitimate https. Please note that your friend will need to have a static IP address for this unpublished bridge to work. It should be run on a dedicated server that has its own IP address. Your friend should also consult the torproject website for additional information about setting up bridges, unpublished bridges, Tor and the China problem.

TorChat using a bridge After the helping friend has setup his Tor bridge as outlined above and given you the IP address you can add it to your TorChat configuration. Open your Tor\torrc.txt with notepad and add the following lines at the end of the file: UseBridges 1 TunnelDirConns 1 bridge Where the line bridge would be given to you by your friend (it is IP address and port of your friend's bridge) and then (re)start TorChat. It should now be able to connect and everything should work fine. If you have more than one friend with a bridge (recommended) or have additional bridge addresses from other sources then you can simply add more such bridge lines to the above configuration. You can add as many bridge lines as you want, the more the better. Use TorChat to secretly and safely exchange more working (unblocked) bridge addresses with your Chinese friends! The connection to the bridge and everything you send through it is always encrypted, the owner of the bridge has no chance of ever finding out what and with whom you are communicating, it’s just a relay into the Tor network, like any other ordinary entry node, the only difference is it is not publicly known and not listed anywhere. Deployment of a preconfigured TorChat For maximum comfort when trying to torify one of your IM buddies (your grandma for example) who can't be bothered with adding cryptic character sequences to the buddy list you can download a fresh copy of TorChat, unzip and start it and add yourself to the buddy list of this new instance (note that you can only run one of them at the same time on the same computer). Then zip it again and give it to this person. You can even prepare a whole bunch of such copies by adding each of them to each other's buddy-list with names next to the IDs and then supply a whole group of people all at once with readily configured copies of TorChat. If you are a journalist you can prepare a version of TorChat with your own ID already on the list but with an empty hidden_service folder and put this for download on your website or otherwise make it publicly available so that everybody (including whistle blowers) can (even if they have zero computer skills) simply unzip it and doubleclick on torchat.exe to instantly chat with you and send files in perfect anonymity from anywhere in the world! You can also use this method to preconfigure and test a TorChat client like explained in the China section above and after making sure everything works correctly you can give it to your

friend in China (be sure to use encrypted email or meet him personally to not reveal the IDs and the private_key to the Chinese authorities). Please never ever combine the last two methods (whistle blower + china bridge) in one TorChat because the fact that someone connects to your dedicated private bridge would directly expose his IP to you.

Authenticate Buddies

      

Click Start Private conversation and follow the instructions to authenticate each other to start a private conversation. The easiest method to authenticate someone is the Question and Answer method in which you ask the other person a question that only they could answer. This is an important security step to verify that you are talking to who you think you are talking to. Examples of acceptable questions: Q: What did you and I talk about last night in the front room?(lower case, one word) A: welding * There was just the two people involved in the past conversation, so this is a secure question. Q: What poster is on the wall of my bedroom? (lower case, two words) A: beehive collective * This is a secure question assuming you trust the people that have been in your bedroom.

Questions like “What is my hair color” or “What’s my dog’s name” are insecure because most anyone could easily discover the answers to those questions.

JTorchat– obfsproxy Ultimate secure chat based on obfsproxy

JTorChat stands for Java Torchat, and is a complete rewrite of the popular p2p IM messenger Torchat. JTorchat– obfsproxy is similar to usual JTorchat, except it has obfsproxy support embedded in. Use JTorchat if you are in a normal country that does not use deep packet inspection. If you are in a country that does use it, or tries to block SSL connection, then use this package instead: JTorchat will not replace the original TorChat of course. The reason is that the original torchat (for windows) has no (easier) dependencies. For JTorchat, there is one dependency that is always required... Java of course. Get free java from here: and get JTorchat here: /p/jtorchat/downloads/detail?name=JTorchat%201.7.2.tar.gz The underlying protocol of jtorchat is based on python Torchat

Note: JTorchat– obfsproxy is released in 2012 against deep packet analysis and SSL filtering

Philosophy Accessible to all, Alive and connected to all, Transparent to all. 1. Accessible to All = Writing it in java allows for easy portability of code between platforms, perhaps even in android phones. 2. Alive and connected to All = Broadcast feature, and eventually group chat, will provide talkers the ability to interact as a group, or as a public mass. 3. Transparent to All = All jtorchat will come with the source, thus increasing transparency and thus security. Features from python Torchat 1. 2. 3. 4. 5. 6. Basic Messaging to Torchat users - Done Popup Alerts - Done Time Stamp - Done file transfer - Done Minimize to tray - Done Taskbar flashes on msg - How the hell do you do it in java, crossplatform?

Features extended beyond python Torchat
1. Auto buddy request - done - Helps newcomers find people to talk to 2. nterface to existing installed tor via GUI - done 3. Broadcast Mode - done - Allows a message to be sent to everyone in the network (no sender spoofing protection tho) 4. BuddySync - allows a group to always keep their buddies in sync over tor. 5. Group Chat - Not Yet - For secure group communication. 6. FileSharing - allows for calling and downloading files off online buddies.

Wishlist 1. put budReq'd buddies into a different group 2. move old buddies from the default group to 'Old buddies' group (but not removing them from user set groups)

These bridges below are obfsproxy supported bridges, add more if you need. UseBridges 1 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2 bridge obfs2

Secure Your Network and bypass internet censorship

Understanding how the Internet is controlled in practice can help to relate the sources of Internet censorship to the possible threats. Internet controls and censorship can be wide-ranging. A national government might not only block access to content, but also monitor what information people in its country are accessing, and might penalize users for Internet-related activities that the government deems unacceptable. Governments may both define what to block and carry out the blocking, or they may create legislation, regulations, or extra-legal incentives to compel the staff of nominally independent companies to carry out blocking and surveillance. The full story of Internet governance is complicated, political and still being actively disputed. Governments often have the authority and resources to implement their preferred schemes of Internet monitoring and control, whether Internet infrastructure is owned and operated by governments themselves or by private telecommunications companies. So a government that wants to block access to information can often readily exercise direct or indirect control over points where that information is produced, or where it enters or exits the country. Governments also have extensive legal authority to spy on citizens, and many go behind what the law allows, using extra-legal methods to monitor or restrict Internet use and reshape it according to their own rules as we already explained.

Government involvement The Internet was developed by U.S. government-sponsored research during the 1970s. It gradually spread to academic use, then to business and public use. Today, a global community is working to maintain the standards and agreements that attempt to achieve world-wide open connectivity and interoperability without any geographical distinction. However, governments are not compelled to implement Internet infrastructure in accordance with these goals or related recommendations about Internet architecture. Some governments design their national telecommunications systems to have single "choke points" where they can control their whole country's access to specific sites and services, and in some cases prevent access to their section of the Internet from outside. Other governments have passed laws or adopted informal controls to regulate the behavior of private ISPs, sometimes compelling them to participate in surveillance or blocking or removing access to particular materials.

Some of the Internet's facilities and coordinating functions are managed by governments or by corporations under government charter. There is no international Internet governance that operates entirely independently. Governments treat the ability to control Internet and telecommunications infrastructure as matters of national sovereignty, and many have asserted the right to forbid or block access to certain kinds of content and services deemed offensive or dangerous.

Why would governments control the net? Many governments have a problem with the fact that there is only one global Internet with technically no geographic or political borders. For the end-user, it makes (apart from a delay of a few milliseconds) no difference if a Web site is hosted in the same country or on the other side of the world a reality often delightful for Internet users and deeply alarming for states. Internet censorship, inspired by hopes of re-imposing geography and geographic distinctions, can occur for many reasons. Adapting a classification from the Open Net Initiative (, we can describe some of these reasons as:

Political reasons Governments want to censor views and opinions contrary to the respective country's policies including topics such as human rights and religions. Social reasons Governments want to censor Web pages related to pornography, gambling, alcohol, drugs and other subjects that might seem offensive for the population. National security reasons Governments want to block content related to dissident movements, and anything threatening national security.

In order to ensure that information controls are effective, governments may also filter tools that enable people to bypass Internet censorship. In the extreme case, governments can refuse to provide Internet service to the public, as in North Korea, or can cut off the Internet throughout their territory during periods of public protest, as happened briefly in Nepal in 2005, and in Egypt and Libya in 2011. Control can be aimed at both access providers and content providers.

Governments can submit access providers to strict control, in order to regulate and shape Internet traffic, and enable surveillance and monitoring upon Internet users within the country. This is also a means to block global content that has been made available from abroad. For example, the Pakistani government asked local ISPs to block access to Facebook in May 2010 in order to block access to caricatures of the Prophet Muhammad

that had been made available on the social networking site, as they had no control over the content provider Facebook. Governments can request content providers, such as in-country Web site editors, Webmasters or search engines to forbid and block access to certain kinds of content and services deemed offensive or dangerous. For example, local Google subsidiaries have been requested to remove controversial content in a couple of countries (such as in China, before March 2010, when it redirected search engine activities towards Google Hong Kong).

Despite the guarantee of free access to information enshrined in Article 19 of the Universal Declaration of Human Rights, the number of countries engaged in Internet censorship has continued to increase dramatically over the past few years. As the practice of Internet filtering spreads throughout the world, however, so does access to the circumvention tools that have been created, deployed and publicized by activists, programmers and volunteers. Many countries around the world have installed software that prevents Internet users within those countries from accessing certain websites and Internet services. Companies, schools and public libraries often use similar software to protect their employees, students and patrons from material that they consider distracting or harmful. This kind of filtering technology comes in a number of different forms. Some filters block a site based on its IP address, while others blacklist certain domain names or search through all unencrypted Internet communication, looking for specific keywords. Regardless of what filtering methods are present, it is nearly always possible to evade them by relying on intermediary computers, outside your country, to reach blocked services for you. This process is often called censorship circumvention, or simply circumvention, and the intermediary computers are called proxies. Proxies, too, come in many different forms. Some organizations, most notably the OpenNet Initiative, are using software to test Internet access in various countries and to understand how access may be compromised by different parties. In some cases, this is a difficult or even dangerous task, depending on the authorities concerned. Research carried out by organizations like the OpenNet Initiative (ONI): and Reporters Without Borders (RSF): indicates that many countries filter a wide variety of social, political and 'national security' content, while rarely publishing precise lists of what has been blocked. In some countries, there is no doubt about government blocking of parts of the Internet. In Saudi Arabia, for example, attempting to access sexually explicit material results in a noticeable message from the government explaining that the site is blocked, and why.

In countries that block without notification, one of the most common signs of censorship is that a large number of sites with related content are apparently inaccessible for technical reasons or seem to be out of order (for example, "Page Not Found" errors, or connections timing out often). Another potential indication is that search engines appear to return useless results or nothing at all about certain topics. Filtering or blocking is also done by entities other than governments. Parents may filter the information that reaches their children. Many organizations, from schools to businesses, restrict Internet access in order to prevent users from having unmonitored communications, using company time or hardware for personal reasons, infringing copyrights, or using excessive networking resources. Naturally, those who wish to control their citizens' access to the Internet also make a special effort to block known proxies and websites that offer tools and instruction to help people circumvent these filters. Many governments have the resources and legal ability to control large portions of a country's network infrastructure. If the government is your adversary, keep in mind that the entire communications infrastructure from the Internet to mobile and landline phones can be monitored. Before exploring the various ways to bypass Internet censorship, you should first develop a basic understanding of how these filters work. In doing so, it may be helpful to consider a greatlysimplified model of your connection to the Internet.

Geographic context Users in different places may have widely varying experiences of Internet content controls.

In some places, your government may be legally constrained from filtering or decide not to filter content. You may be monitored by your ISP so the information can be sold to advertisers. The government may have required ISPs to install monitoring (but not blocking) capabilities in their networks. The government may make a formal request for your browsing history and chat logs, or may store information for later use. It will try not to attract attention as it does this. You face threats from non-government actors, such as computer criminals who attack Web sites or steal personal financial information. In some places, ISPs may use technical means to block some sites or services, but the government doesn't currently appear to track or retaliate against attempts to access them, or appear to operate a coordinated Internet content control strategy. In some places, you may have access to local services that are a fair match for foreign services. These services are patrolled by your ISP or government agents. You may be free to post sensitive content, but it will be removed. If this happens too often, however, the penalties may become more severe. Restrictions may only become obvious during politically charged events. In some places, your government may filter most foreign websites, especially news. It exercises tight control over ISPs to block content and keep track of people creating content. If you use a social networking platform, efforts will be made to infiltrate it. The government may encourage your neighbors to spy on you.

Personal context Governments have a range of motivations for monitoring or restricting different kinds of people's online activity.

Activists: you may want to improve your government or are seeking a new one. Perhaps you want to reform a particular segment of society or work for the rights of minority groups. You may want to expose environmental issues, labor abuses, fraud, or corruption at your place of work. Your government and employers are going to be unhappy about this no matter the time of year, but they may put more effort into monitoring you if they suspect that there will be protests in the streets soon. Bloggers: you may want to write about everyday life, but some people are silenced because of ethnicity or gender. Regardless of what you have to say you're not supposed to be saying it. You may be in a country with mostly unrestricted users, but your opinions are not popular in your community. You might prefer anonymity or need it to connect with a support group. Journalists: you may have some of the same concerns as activists and bloggers. Organized crime, corruption, and government brutality are dangerous subjects to cover. You may need to protect yourself and any activists who become sources of information. Readers: you may not be politically active, but so much content is censored that you need circumvention software to get to entertainment, science, and industry periodicals. You may want to read a Web comic or browse the news about other countries. Your government may ignore this until it has some other reason to monitor you.

The most commonly blocked Internet resource used to be sexually explicit material; today, it is social networking platforms. The growing international popularity of social networking sites has turned millions of Internet users around the world into potential victims of censorship. Some social networking sites are popular at a global level, such as Facebook, MySpace or LinkedIn, while others have a large number of users in a given country or region: QQ (Qzone) in China, Cloob in Iran, vKontakte in Russia, Hi5 in Peru and Colombia, Odnoklassniki in CIS countries, Orkut in India and Brazil, Zing in Vietnam, Maktoob in Syria, Ameba and Mixi in Japan, Bebo in the UK, and others.

How censorship works

Everybody wants to get connected to the internet, everywhere at every moment. People use whatever method is available, ranging from Wi-Fi networks to rolling out cables on the street. It is even possible to make an internet connection using satellites or mobile networks. The urge to get connected is more important than making sure the connection is safe. Even though many people know connecting to an open wireless network is unsafe, people still act as if there is no alternative. Network operators can filter or manipulate Internet traffic at any point in a network, using a wide variety of technologies, with varying levels of accuracy and customization. Typically, these maneuvers involve using software to look at what users are attempting to do and to interfere selectively with activities that the operator considers forbidden by policy. A filter could be created and applied by a national government or by a national or local ISP, or even by the operator of a local network; or software-based filters could be installed directly onto individual computers. The goals of deploying a filtering mechanism vary depending on the motivations of the organization deploying them. They may be to make a particular Web site (or individual Web page) inaccessible to those who wish to view it, to make it unreliable, or to deter users from even attempting to access it in the first place. The choice of mechanism will also depend upon the capability of the organization that requests the filtering what access and influence they have, the people against whom they can enforce their wishes, and how much they are willing to spend. Other considerations include the number of acceptable errors; whether the filtering should be overt or covert, and how reliable it is (both against casual users and those who wish to bypass it). We will describe several techniques by which particular content can be blocked once the list of resources to be blocked is established. Building this list is a considerable challenge and a common weakness in deployed systems. Not only does the huge number of Web sites make

building a comprehensive list of prohibited content difficult, but as content moves and Web sites change their IP addresses, keeping this list up-to-date requires a lot of effort. Moreover, if the operator of a site wishes to interfere with the blocking, the site could be moved more rapidly than it would be otherwise. We first describe technical measures used against end users, and then briefly discuss measures used against publishers and hosting providers, as well as non-technical intimidation. When connecting to the internet every request is going through multiple 'hops' (often called routers). At every hop a system administrator (or government institution) can spy ('sniff') on your connection. Often at least 5 to 10 hops are required before your request reaches the server. This means there are at least as many places where your information can be sniffed and leaked without your knowledge. The first step of your connection to the Internet is typically made through an Internet Service Provider ISP at your home, office, school, library or Internet cafe. The ISP assigns your computer an IP address, which various Internet services can use to identify you and send you information, such as the emails and WebPages you request. Anyone who learns your IP address can figure out what city you are in. Certain well-connected organizations in your country, however, can use this information to determine your precise location. Your ISP will know which building you are in or which phone line you are using if you access the Internet through a modem. Most ISPs in the world monitor some aspects of their users' communications for accounting purposes and to combat abuse such as spam. ISPs often record user account names together with IP addresses. Unless users employ privacy-enhancing technologies to prevent it, it is technically possible for an ISP to record all the information that flows over its cables, including the exact contents of users' communications. On the other end of your connection, the website or Internet service you are accessing has gone through a similar process, having received its own IP addresses from an ISP in its own country. Even without all of the technical details, a basic model like this can be helpful when considering the various tools that allow you get around filters and remain anonymous on the Internet. This surveillance is also a prerequisite for technically-based network censorship. An ISP trying to censor communications that its users want to send has to be able to read those communications in order to determine which ones violate its policies. Hence a core approach to reducing Internet censorship is hiding the detailed content of communications from ISPs, both in individual cases and by encouraging widespread use of pro-privacy technologies that hinder surveillance. This means that technical counter-measures to network censorship often rely on using obfuscation or encryption wherever possible in order to make it impossible for the ISP to see exactly what content has been transferred.

 

Your Internet cafe, library or business will know which computer you were using at a given time, as well as which port or wireless access point you were connected to. Government agencies may know all of these details, as a result of their influence over the organizations above.

URL filtering One way for countries and other entities to block access to information on the Web is to prevent access based on the URL either the entire URL or some part of it. Internet censors often want to block specific domain names in their entirety, because they object to the content of those domains. One of the easiest ways to block Web sites is by blocking the complete domain name. Sometimes, authorities are more selective, blocking only certain subdomains in a particular domain, while leaving the rest of the domain accessible. This is the case for Vietnam, where the government blocks specific sections of a Web site (such as the Vietnamese-language versions of the BBC and Radio Free Asia) but rarely censors content written in English. Censors, for example, might filter only the subdomain while leaving and unfiltered. Similarly, they might want to filter out pages containing specific types of content while allowing access to the rest of the domain hosting those pages. One filtering approach is to look for a directory name, such as "worldservice" to block only the BBC foreign-language news service at, without blocking the BBC's English-language Web site as a whole. Censors can sometimes even block specific pages based on page names, or search terms in queries, that suggest offensive or undesired content. URL filtering can be performed locally, through the use of special software installed in the computer that you are using. For example, computers in an Internet caf may all be running filtering software that prevents certain sites from being accessed. URL filtering can also be performed at a central point in the network, such as a proxy server. A network can be configured not to allow users to connect directly to Web sites but instead to force (or just encourage) all users to access those sites via a proxy server. Proxy servers are used to relay requests, as well as temporarily storing web pages they retrieve in a cache and delivering them to multiple users. This reduces the need for an ISP to frequently retrieve a popularly requested page, thus saving on resources and improving delivery time. However, as well as improving performance, an HTTP proxy can also block Web sites. The proxy decides whether requests for Web pages should be permitted, and if so, sends the request to the Web server hosting the requested content. Since the full content of the request is available, individual Web pages can be filtered, based on both page names and the actual content of the page. If a page is blocked, the proxy server could return an accurate explanation of the reason why, or pretend that the page didn't exist or produced an error.

DNS filtering and spoofing When you enter a URL in a Web browser, the first thing the Web browser does is to ask a DNS (Domain Name System) server, at a known numeric address, to look up the domain name referenced in the URL and supply the corresponding IP address.

If the DNS server is configured to block access, it consults a blacklist of banned domain names. When a browser requests the IP address for one of these domain names, the DNS server gives a wrong answer or no answer at all.

When the DNS server gives a meaningless answer or no answer, the requesting computer fails to learn the correct IP address for the service it wanted to contact. Without the correct IP address, the requesting computer cannot continue, and it displays an error message. Since the browser does not learn the Web site's correct IP address, it is not able to contact the site to request a page. The result is that all of the services under a particular domain name, such as all of the pages on a particular Web server, are unavailable. In this case, deliberate blocking may wrongly appear as a technical problem or random failure. Similarly, a censor could force a DNS entry to point to an incorrect IP address, thus redirecting Internet users to incorrect Web sites. This technique is called DNS spoofing, and censors can use it to hijack the identity of a particular server and display forged Web sites or reroute the users'

traffic to unauthorized servers that could intercept their data. (In some networks, the wrong answer would lead to a different Web server that clearly explains the nature of the blocking that has occurred. This technique is used by censors who don't mind admitting that they are engaged in censorship and who don't want users to be confused about what has taken place.)

IP filtering When data is sent over the Internet, it is grouped into small units, called packets. A packet contains both the data being sent and information about how to send the packet, such as the IP addresses of the computer it came from and the one it should go to. Routers are computers that relay packets on their way from a sender to a receiver, determining where they go next. If censors wants to prevent users from accessing specific servers, they can configure routers that they control to drop (ignore and fail to transmit) data destined for IP addresses on a blacklist or to return an error message for them. Filtering based solely on IP addresses blocks all services provided by a particular server, such as both Web sites and e-mail servers. Since only the IP address is inspected, multiple domain names that share the same IP address are also blocked, even if only one was originally meant to be prohibited.

Keyword filtering IP address filtering can only block communication on the basis of where packets are going to or coming from, not what they contain. This can be a problem for the censor if it is impossible to establish the full list of IP addresses containing prohibited content, or if an IP address contains enough non-prohibited content to make it seem unjustifiable to totally block all communication with it. There is a finer-grained control possible: the content of packets can be inspected for banned keywords. As network routers do not normally examine the entire packet contents, extra equipment may be needed; the process of examining packet contents is often called deep packet inspection. A communication identified as containing forbidden content may be disrupted by blocking the packets directly or by forging a message to both of the communicating parties advising them that the other party has terminated the conversation. Equipment that performs all of these censoring functions and others is readily available on the market. Alternatively, the censor can use a forced HTTP proxy, as described earlier.

Traffic shaping Traffic shaping is a technique utilized by network managers to make a network run smoothly by prioritizing some kinds of packets and delaying other kinds of packets that meet certain criteria. Traffic shaping is somewhat similar to controlling vehicle traffic on a street. In general, all vehicles (packets) have the same priority, but some vehicles are temporarily delayed by traffic controllers or stop lights to avoid traffic jams at certain points. At the same time, some vehicles (fire trucks, ambulances) may need to reach their destination faster, and therefore they are given priority by delaying other vehicles. Similar logic is applicable to Internet packets that need low latency for optimal performance (such as voice over IP, VoIP). Traffic shaping can also be used by governments or other entities to delay packets with specific information. If censors want to restrict access to certain services, they can easily identify packets related to these services and increase their latency by setting their priority low. This could give users the misleading impression that a site is inherently slow or unreliable, or it could simply make the disfavored site unpleasant to use relative to other sites. This technique is sometimes used against peer-to-peer file-sharing networks, such as BitTorrent, by ISPs that disfavor file sharing.

Port blocking Blacklisting individual port numbers restricts access to individual services on a server, such as Web or e-mail. Common services on the Internet have characteristic port numbers. The relationships between services and port numbers are assigned by IANA, but they are not mandatory. These assignments allow routers to make a guess as to the service being accessed. Thus, to block just the Web traffic to a site, a censor might block only port 80, because that is the port typically used for Web access. Access to ports may be controlled by the network administrator of the organization that hosts the computer you're using whether a private company or an Internet caf, by the ISP that is providing Internet access, or by someone else such as a government censor who has access to the connections that are available to the ISP. Ports may also be blocked for reasons other than pure content censorship to reduce spam, or to discourage disfavored network uses such as peer-to-peer file sharing, instant messaging, or network gaming. If a port is blocked, all traffic on this port becomes inaccessible to you. Censors often block the ports 1080, 3128, and 8080 because these are the most common proxy ports. If this is the case, you won't be able to directly use any proxies that require use of those ports; you'll have to use a different circumvention technique or else find or arrange for the creation of proxies that are listening on an uncommon port. For example, in one university, only the ports 22 (SSH), 110 (POP3), 143 (IMAP), 993 (secure IMAP), 995 (secure POP3) and 5190 (ICQ instant messaging) may be open for external

connections, forcing users to use circumvention technology or access services on nonstandard ports if they want to use other Internet services.

Internet shutdown Shutting down Internet connectivity is an example of extreme censorship perpetrated by governments in response to sensitive political and social events. However, complete network disruption (i.e. from both domestic and international networks) requires intense work, since it is necessary to shut down not only the protocols that connect the country to the international network but also the protocols that connect ISPs with one another and with users. Countries have shut down Internet access completely (Nepal in 2005, Burma in 2007 and Egypt and Libya in 2011) as a means to quell political unrest. These shutdowns lasted from a few hours to several weeks, though some people managed to connect through dial-up to an ISP abroad or by using mobile connections or satellite links. Breaking international connections, therefore, does not necessarily destroy connectivity among domestic ISPs or communication among various users of a single ISP. It would take further steps to completely isolate users from an internal network. For this reason, it is harder to disrupt local interconnectivity in countries with several ISPs.

Attacks on publishers Censors can also try to suppress content and services at their source by attacking the publishers' ability to publish or host information. This can be accomplished in several ways. Legal restrictions Sometimes, legal authorities can induce service operators themselves to perform or cooperate with censorship. Some blog hosts or e-mail providers, for example, may decide to perform keyword filtering within their own servers perhaps because governments told them to. (In this case, there's little hope that any sort of "circumvention" will counteract these services' censorship; we generally conceive of circumvention as an effort to reach desired network services somewhere else, such as in a different country or jurisdiction.) Denial of service Where the organization deploying the filtering does not have the authority (or access to the network infrastructure) to add conventional blocking mechanisms, Web sites can be made inaccessible by overloading the server or network connection. This technique, known as a Denial-of-Service (DoS) attack, could be mounted by one computer with a very fast network connection; more commonly, a large number of computers are taken over and used to mount distributed DoS (DDoS).

Domain deregistration As mentioned earlier, the first stage of a Web request is to contact the local DNS server to find the IP address of the desired location. Storing all domain names in existence would be unfeasible, so instead so-called "recursive resolvers" store pointers to other DNS servers that are more likely to know the answer. These servers will direct the recursive resolver to further DNS servers until one, the "authoritative" server, can return the answer. The domain name system is organized hierarchically, with country domains such as ".uk" and ".de" at the top, along with the nongeographic top-level domains such as ".org" and ".com". The servers responsible for these domains delegate responsibility for subdomains, such as, to other DNS servers, directing requests for these domains there. Thus, if the DNS server for a top-level domain deregisters a domain name, recursive resolvers will be unable to discover the IP address and so make the site inaccessible. Country-specific top-level domains are usually operated by the government of the country in question, or by an organization appointed by it. So if a site is registered under the domain of a country that prohibits the hosted content, it runs the risk of being deregistered.

Server takedown Servers hosting content must be physically located somewhere, as must the administrators who operate them. If these locations are under the legal or extra-legal control of someone who objects to the content hosted, the server can be disconnected or the operators can be required to disable it. Intimidation of users Censors may also try to deter users from even attempting to access banned material in various ways. Surveillance The above mechanisms inhibit the access to banned material, but are both crude and possible to circumvent. Another approach, which may be applied in parallel to filtering, is to monitor which Web sites are being visited. If prohibited content is accessed (or attempted to be accessed) then legal (or extra-legal) measures could be deployed as punishment. If this fact is widely publicized, it could discourage others from attempting to access banned content, even if the technical measures for preventing access are inadequate by themselves. In some places, censors try to create an impression that their agents are everywhere and that everyone is constantly being watched whether or not this really is the case.

Social Techniques Social mechanisms are often used to discourage users from accessing inappropriate content. For example, families may place the PC in the living room where the screen is visible to all present, rather than somewhere more private, as a low-key way of discouraging children from accessing unsuitable sites. A library may situate PCs so that their screens are all visible from the librarian's desk. An Internet cafe may have a CCTV surveillance camera. There might be a local law requiring such cameras, and also requiring that users register with government-issued photo ID.

Stealing and destroying communications equipment In some places, censors have the ability to prohibit some kinds of communications technology entirely. In that case, they may conspicuously confiscate or seek out and destroy prohibited communications equipment in order to send the message that its use will not be tolerated.

Gallery of national blockpages
Here are screenshots of pages that show up when a website is blocked by national filtering systems and Internet service providers. Iran - Pars Online Iran-shatel

Iran -Telecommunication Company of Iran

Norway – Telenor

Oman - Omantel


Saudi Arbia

Singapore – Singnet

Singapore - Starhub

South Korea – Kornet

Sudan - NTC

Syria - Scsnet

Thailand - ksc

Thailand – Loxinfo

Tunisia - Topnet

UAE - Etisalat

Uzbekistan - Uzscinet


Vietnam - VNPT

Yemen - Ynet

Turkey - Turktelekom

Thailand - TOT








The Netherlands

Abu Dhabi - UAE




Tibet - China

Circumvention and Safety
The type of security you need depends on your activities and their consequences. There are some security measures that everyone should practice whether they feel threatened or not. Some ways to be cautious online require more effort, but are necessary because of severe restrictions on Internet access. You may be facing threats from technology that is being researched and deployed rapidly, old technology, and use of human intelligence instead, or a combination of all three. All of these factors may change often.

Some security best-practices There are steps that everyone with a computer should take to keep it secure. This may involve protecting information about your network of activists or it could be your credit card number, but some of the tools you need are the same. Beware of programs that promise perfect security: online safety is a combination of good software and human behavior. Knowing what should be kept offline, who to trust, and other security questions cannot be answered by technology alone. Look for programs that list risks on their Web sites or have been peer reviewed. Keep your operating system up-to-date: the developers of operating systems provide updates that you should install from time to time. These may be automatic or you may have to request them by entering a command or adjusting your system settings. Some of these updates make your computer more efficient and easier to use, and others fix security holes. Attackers learn about these security holes rapidly, sometimes even before they're fixed, so fixing them promptly is crucial. If you're still using Microsoft Windows, use anti-virus software and keep it updated. Malware is software written in order to steal information or to use your computer for other purposes. Viruses and malware can gain access to your system, make changes and hide themselves. They could be sent to you in an e-mail, be on a Web page you visit, or be part of a file that does not appear to be suspicious. Anti-virus software providers constantly research emerging threats and add them to lists of things that your computer will block. In order to allow the software to recognize new threats, you must install updates as they are released. Use good passwords: no password selection system can guard against being threatened with violence, but you can improve your security by making it harder to guess. Use combinations of letters, punctuation, and numbers. Combine lower and upper case letters. Do not use birthdates, telephone numbers, or words that can be guessed by going through public information about you. Use Free and Open Source Software (FOSS). Open source software is made available both as a working product and as a work in progress to users and software engineers. This offers several security advantages over closed source, for-profit software that may only be available in your

country through illegal channels due to export restrictions or expense. You may not be able to download official updates for pirated software. With Open Source software there is no need to search through several suspicious sites for a copy free of spyware and security glitches. Any legitimate copy will be free and is available from the creators. If security flaws emerge, they can be spotted by volunteers or interested users. A community of software engineers will then work on a solution, often very quickly. Use software that separates who you are from where you are. Every computer connected to the Internet has an IP address. An IP address can be used to find your physical location as easily as typing it into a public "whois" site. Proxies, VPNs and Tor route your traffic through one to three computers around the world. If you are going through only one server, be aware that just like an ISP, the proxy provider can see all of your traffic. You may trust the proxy provider more than your ISP, but the same warnings apply to any single source of connectivity. See the sections that cover proxies, Tor, and VPNs for more on risks. Use live CDs and bootable USB drives. If you are using a public computer or another computer on which you do not want to leave data, use a version of Linux that you can run from portable media. A Live CD or bootable USB drive can be plugged into a computer and used without installing anything. Use "portable" programs: there are also portable versions of circumvention software that can be run under Windows from a USB drive. Keep yourself updated: the effort put into finding you may change. The technology that works one day may stop working or be insecure the next day. Even if you don't need it now, know where to find information. If the software providers you use have ways to get support, make sure you know about them before their Web sites are blocked.

Safer access to social networking sites In the context of closed societies and repressive countries, monitoring becomes a major threat for users of social networking sites, especially if they use the service to coordinate civil society activity or engage in online activism or citizen journalism. One central issue with social networking platforms is the amount of private data that you share about yourself, your activities and your contacts, and who has access to it. As the technology evolves and social networking platforms are more and more accessed through smart phones, the disclosure of the locations of the users of a social networking platform at any given moment is also becoming a significant menace. In that context, some precautions become even more crucial; for example, you should:
 

edit your default privacy settings in the social networking platform know precisely what information you are sharing with whom

   

make sure that you understand the default geolocation settings, and edit them if needed only accept into your network people who you really know and trust only accept into your network people who will be savvy enough to also protect the private information that you share with them, or train them to do so be aware that even the most savvy people in your network might give up information if they are threatened by your adversary, so consider limiting who has access to which information Be aware that accessing your social networking platform via a circumvention tool will not automatically protect you from most of the threats to your privacy.

Read more in this article from Privacy Rights Clearinghouse: "Social Networking Privacy: How to be Safe, Secure and Social": How can you access your social networking platform when it is filtered? As described below, using HTTPS to access Web sites is important. If your social networking platform allows HTTPS access, you should use it exclusively, and, if possible, make it the default. For example, on Facebook, you can edit Account Settings > Account Security > Secure Browsing (https) to make HTTPS the default way to connect to your Facebook account. In some places, using HTTPS may also allow you to access to an otherwise blocked service; for example, has been blocked in Burma while remained accessible. If you want to protect your anonymity and privacy while circumventing the filtering imposed on your social networking service, an SSH tunnel or VPN will give you stronger privacy guarantees than a Web proxy, including against the risk of revealing your IP address. Even using an anonymity network like Tor can be insufficient because social networking platforms make it so easy to reveal identifying information and expose details about your contacts and social relationships. Safer use of shared computers A significant proportion of the world's population, especially in developing countries, does not have personal access to the Internet at their homes. This can be because of the costs of having private Internet connection at their homes, the lack of personal computer equipment, or problems in the telecommunication or electrical network infrastructures. For this portion of the population the only existing, convenient or affordable mean to access the Internet is to use places where the computers are shared with several different individuals. This includes Internet cafes, Telecenters, work stations, schools or libraries.

Potential advantages of shared computers There are advantages to accessing the Internet on shared computers:
   

You may receive technical advice and assistance from other users or facility staff on how to circumvent filtering. Circumvention tools may already be installed and pre-configured. Other users may share uncensored information with you through alternative, offline means. If you aren't a regular user of a particular computing facility, you didn't provide identity documents to the facility's operator, and you don't sign in online using your real name or account information, it would be hard for anyone to track you down personally based on your online activity.

General risks of shared computers The fact that you access the Internet in a public space does not make it anonymous or safe for you. It is quite often the very opposite. Some of the main threats are:

 

The owner of the computer, or even a person who used the computer before you, could easily program the computer to spy on everything you do, including recording all of your passwords. The computer can also be programmed to circumvent or nullify the protections of any privacy and security software you use on it. In some countries, such as Burma and Cuba, Internet caf clients are required to show their ID or passport before using the service. This ID information can be stored and filed together with the clients' Web browsing history. Any data you leave on the computer you have used may be logged (browsing history, cookies, downloaded files, etc). Software or hardware keyloggers installed in the client's computer may record every keystroke during your session, including your passwords, even before this information is sent over the Internet. In Vietnam, an apparently innocuous virtual keyboard for typing Vietnamese characters was being used by the government to monitor user activity at Internet cafs and other public access spots. Your screen activity may be recorded by special software that takes screenshots at frequent intervals, monitored through CCTV cameras, or simply observed by a person (e.g. the Internet caf manager) looking over your shoulder.

Shared computers and censorship Besides the surveillance, users of shared computers are often offered access to a limited Internet and have to face additional hurdles to use their favorite circumvention solution:

  

In some countries, such as Burma, Internet cafe owners have to display posters about banned Web content and are responsible for the enforcement censorship law inside their business. Extra filtering might be implemented by Internet cafe managers (client side control and filtering), to complement filtering implemented at the ISP or national level. Users might be pushed by the environmental restrictions to avoid visiting specific Web sites for fear of punishment, thus enforcing self-censorship. Computers are often configured so that users are prevented from installing any software, including circumvention tools, or connecting any kind of devices to the USB port (such as USB flash drives). In Cuba, authorities have begun deploying controlling software for Internet cafes named AvilaLink that prevents users from installing or executing specific software or running applications from a USB flash drive. Users may be prevented from using any other browser but Internet Explorer, to prevent the use of privacy or circumvention Add-ons or settings for browsers such as Mozilla Firefox or Google Chrome.

Best practices for security and circumvention Depending on the environment in which you use your shared computer, you can try the following:

Identify the surveillance measures implemented based on the list mentioned above (CCTV, human surveillance, Keyloggers, etc.) and behave accordingly. Run portable circumvention software from a USB flash drive. Use an operating system on which you have control through the use of a Live CD. Change Internet cafes often if you fear recurring surveillance, or stick to one where you trust it is safe to connect. Take your own laptop to the Internet cafe and use it instead of the public computers.

   

Confidentiality and HTTPS Some filtered networks use mainly (or exclusively) keyword filtering, rather than blocking particular sites. For example, networks might block any communication mentioning keywords that are considered politically, religiously, or culturally sensitive. This blocking can be overt or disguised as a technical error. For example, some networks make it look like a technical error occurred whenever you search for something that the network operator thinks you shouldn't be looking for. This way, users are less likely to blame the problem on censorship.

If the content of Internet communications is unencrypted, it will be visible to ISPs' network equipment such as routers and firewalls, where keyword-based monitoring and censorship can be implemented. Hiding the content of communications with encryption makes the task of censorship much more difficult, because network equipment can no longer distinguish the communications that contain forbidden keywords from those that don't. Using encryption to keep communications confidential also prevents network equipment from logging communications in order to analyze them and target individuals after the fact for what they read or write.

Again HTTPS HTTPS is the secure version of the HTTP protocol used to access Web sites. It provides a security upgrade for accessing Web sites by using encryption to stop eavesdropping and tampering with the contents of your communications. Using HTTPS to access a site can prevent network operators from knowing which part of the site you're using or what information you sent to and received from the site. HTTPS support is already included in every popular Web browser, so you don't need to install or add any software in order to use HTTPS. Usually, if a site is available through HTTPS, you can access the site's secure version by entering its address (URL) beginning with https:// instead of http://. You can also tell if you are using the secure version of a site by looking at the address displayed in your Web browser's navigation bar, and seeing whether it begins with https://. Not every Web site has an HTTPS version. Indeed, perhaps less than 10% of sites do though the sites with HTTPS versions include several of the largest and most popular sites. A Web site is only available through HTTPS if the Web site operator deliberately configures its HTTPS version. Internet security experts have been urging Web site operators to do this routinely, and the number of sites with HTTPS support has been growing steadily. If you try to access a site through HTTPS and receive an error, this doesn't always mean that your network is blocking access to the site. It might mean that the site is simply not available in HTTPS (to anyone). However, certain kinds of error messages are more likely to show that someone is actively blocking or tampering with the connection, especially if you know that a site is supposed to be available through HTTPS.

Examples of sites that offer HTTPS Here are a few examples of popular sites that offer HTTPS. In some cases, the use of HTTPS is optional on these sites, not mandatory, so you have to explicitly choose the secure version of the site in order to get the benefits of HTTPS. Site name Facebook Gmail Google Search Twitter Wikipedia Windows Live Mail (MSN Hotmail) My space YouTube 4shared Insecure (HTTP) version Secure (HTTPS) version


For example, if you make a Google search from instead of, your network operator will not be able to see what terms you searched for, and therefore it can't block Google from answering "inappropriate" searches. (However, the network operator could decide to block in its entirety.) Similarly, if you use Twitter through instead of , the network operator can't see which tweets you are reading, what tags you are searching for, what you post there, or which account you log into. (However, the network operator could decide to block all access to using HTTPS.) HTTPS makes use of an Internet security protocol called TLS (Transport Layer Security) or SSL (Secure Sockets Layer). You may hear people refer to a site

"using SSL" or being "an SSL site". In the context of a Web site, this means that the site is available through HTTPS.

Using HTTPS in addition to circumvention technology Even circumvention technologies that use encryption are not a substitute for using HTTPS, because the purpose for which encryption is used is different. For many kinds of circumvention technology, including VPNs, proxies, and Tor, it is still possible and appropriate to use HTTPS addresses when accessing a blocked site through the circumvention technology. This provides greater privacy and prevents the circumvention provider itself from observing or recording what you do. This could be important even if you're confident that the circumvention provider is friendly to you, because the circumvention provider (or the network that the circumvention provider uses) could be broken into or pressured to provide information about you. Some circumvention technology developers like Tor strongly urge users to always use HTTPS, to make sure that circumvention providers themselves can't spy on users. You can read more about this issue at It's good to get in the habit of using HTTPS whenever possible, even when using some other method for circumvention. Tips for using HTTPS If you like to bookmark sites that you access frequently so that you don't have to type in the full site address, remember to bookmark the secure version of each site instead of the insecure version. In Firefox, you can install the HTTPS Everywhere extension to turn on HTTPS automatically whenever you visit a site that's known to offer HTTPS. It is available from or can be installed from Firefox tools>add-on>search all Add-on. For more information about this extension please refer to chapter Firefox and HTTPS everywhere.

Risks when not using HTTPS When you don't use HTTPS, a network operator such as your ISP or a national firewall operator, can record everything you do including the contents of the specific pages that you access. They can use this information to block particular pages or to create records that might be used against you later on. They can also modify the contents of Web pages to delete certain information or to add malicious software to spy on you or infect your computer. In many cases, other users of the same network can also do these things even if they aren't officially the network operator.

In 2010, some of these problems were dramatized by a program called Firesheep, which makes it extremely easy for users on a network to take over other users' social networking site accounts. Firesheep works because, at the time it was created, these social networking sites were not commonly using HTTPS, or were using it in a limited way to protect only some portions of their sites. This demonstration created a lot of attention in international media, and also led more sites to require the use of HTTPS or to offer HTTPS access as an option. It also allowed technically unskilled people to abuse others by breaking into their accounts. In January 2011, during a period of political unrest in Tunisia, the Tunisian government began tampering with users' connections to Facebook in a way that allowed the government to steal users' passwords. This was done by modifying the Facebook login page and invisibly adding software that sent a copy of the user's Facebook password to the authorities. Such modifications are technically straightforward to perform and could be done by any network operator at any time. As far as we know, Tunisian Facebook users who were using HTTPS were totally protected from this attack.

Risks when using HTTPS When it's available, using HTTPS is almost always safer than using HTTP. Even if something goes wrong, it shouldn't make your communications any easier to spy on or filter. So it makes sense to try to use HTTPS where you can (but be aware that, in principle, using encryption could be restricted by law in some countries). However, there are some ways that HTTPS might not provide complete protection.

Certificate warnings Sometimes, when you try to access a web site over HTTPS, your Web browser will show you a warning message describing a problem with the site's digital certificate. The certificate is used to ensure the security of the connection. These warning messages exist to protect you against attacks; please don't ignore them. If you ignore or bypass certificate warnings, you may still be able to use a site but limit the ability of the HTTPS technology to protect your communications. In that case, your access to the site could become no more secure than an ordinary HTTP connection. If you encounter a certificate warning, you should report it by e-mail to the Webmaster of the site you were trying to access, to encourage the site to fix the problem. If you're using an HTTPS site set up by an individual, such as some kinds of Web proxies, you might receive an certificate error because the certificate is self-signed, meaning that there is no basis given for your browser to determine whether or not the communication is being intercepted. For some such sites, you might have no alternative but to accept the self-signed certificate if you want to use the site. However, you could try to confirm via another channel,

like e-mail or instant messaging, that the certificate is the one you should expect, or see whether it looks the same when using a different Internet connection from a different computer. please refer to certificate verification

Mixed content A single Web page is usually made up of many different elements, which can come from different places and be transferred separately from one another. Sometimes a site will use HTTPS for some of the elements of a Web page but use insecure HTTP for the others. For example, a site might allow only HTTP for accessing certain images. As of February 2011, Wikipedia's secure site has this problem; although the text of Wikipedia pages can be loaded using HTTPS, all of the images are loaded using HTTP, and so particular images can be identified and blocked, or used to determine which Wikipedia page is a user is reading.

Redirection to insecure HTTP version of a site Some sites use HTTPS in a limited way and will force users back to using insecure HTTP access even after the user initially used HTTPS access. For example, some sites use HTTPS for login pages, where users enter their account information, but then HTTP for other pages after the user has logged in. This kind of configuration leaves users vulnerable to surveillance. You should be aware that, if you get sent back to an insecure page during the course of using a site, you no longer have the protections of HTTPS.

Networks and firewalls blocking HTTPS Because of the way HTTPS hinders monitoring and blocking, some networks will completely block HTTPS access to particular Web sites, or even block the use of HTTPS altogether. In that case, you may be limited to using insecure access to those sites while on those networks. You might find that you're unable to access a site because of blocking of HTTPS. If you use HTTPS Everywhere or certain similar software, you may not be able to use some sites at all because this software does not permit an insecure connection. If your network blocks HTTPS, you should assume that the network operator can see and record all of your Web browsing activities on the network. In that case, you may want to explore other circumvention techniques, particularly those that provide other forms of encryption, such as VPNs and SSH proxies.

Using HTTPS from an insecure computer HTTPS only protects the contents of your communications while they travel over the Internet. It doesn't protect your computer or the contents of your screen or hard drive. If the computer you use is shared or otherwise insecure, it could contain monitoring or spying software, or censorship software that records or blocks sensitive keywords. In that case, the protection offered by HTTPS could be less relevant, since monitoring and censorship could happen within your computer itself, instead of at a network firewall. Vulnerability of HTTPS certificate system There are problems with the certificate authority system, also called public-key infrastructure (PKI) used to authenticate HTTPS connections. This could mean that a sophisticated attacker could trick your browser into not displaying a warning during an attack, if the attacker has the right kind of resources. It has not yet been clearly documented that this is taking place anywhere. In the end of 2011, it is said that Iran obtained fraudulent certificates from Comodo for Firefox extensions, Google, Gmail, Skype, Windows Live, and Yahoo and they forged the wrong SSL certificate. This is not a reason to avoid using HTTPS, since even in the worst case; the HTTPS connection would be no less secure than an HTTP connection.

Simple Tricks to bypass censorship
There are a number of techniques to get past Internet filtering. If your aim is simply to reach pages or services on the Internet that are blocked from your location, and you are not concerned whether other people can detect and monitor your circumvention, these techniques may be all you need:
   

HTTPS using alternative domain names or URLs to reach blocked content using third-party Web sites to reach blocked content Using e-mail gateways to retrieve blocked Web pages over e-mail.

Using HTTPS HTTPS is the secure version of the HTTP protocol used to access Web sites. In certain countries, and if the site you want to see has enabled HTTPS, just entering its address (URL) beginning with https:// instead of http:// may allow you to access the site, even when the http:// URL is blocked. For instance has been blocked in Burma, whereas has been accessible. Before trying any other circumvention tool or technique, try adding an s after http in the URL of your target site, if the http:// URL has been blocked. If this works, not only you will access the target site, but the traffic between you and the site will also be encrypted.

For extra details on this technique, read the chapters "Confidentiality and HTTPS" and "HTTPS Everywhere".

Using alternate domain names or URLs One of the most common ways to censor a Web site is to block access to its domain name, for example, "". However, sites are often accessible at other domain names, such as "". If one domain name is blocked, try to find out if the content is available at another domain. You could also try to access special versions that some Web sites create for Smartphones. These are often the same URL with the addition of "m" or "mobile" at the beginning, for example:
      (Gmail) or

Using third-party sites There are a number of different ways you can reach the content on a Web page by going through a third-party web site rather than directly to the source Web site.

Cached Pages Many search engines keep copies of Web pages they have previously indexed, called cached pages. When searching for a Web site, look for a small link labeled "cached" next to your search results. Since you are retrieving a copy of the blocked page from the search engine's servers, and not from the blocked Web site itself, you may be able to access the blocked content. However, some countries have targeted caching services for blocking as well. Now cached pages are active when you move your cursor on show preview and they are shown on the right.

RSS Aggregators RSS aggregators are Web sites that allow you to subscribe to and read RSS feeds, which are streams of news or other information put out by sites you have chosen. (RSS stands for "Really Simple Syndication"; for more on how to use it, see An RSS aggregator connects to Web sites downloads the feeds that you have selected, and displays them. Since it is the aggregator connecting to the Web sites, and not you, you may be able to access sites that would otherwise be blocked. This technique works only for Web sites that publish RSS feeds of their content, of course, and therefore is most useful for blogs and news sites. There are a lot of free, online RSS aggregators available. Some of the most popular ones include Google Reader (, Bloglines ( or Friendfeed ( Below is an example of Google Reader displaying the news:

Translators There are many language translation services available on the Internet, often provided by search engines. If you access a Web site through a translation service, the translation service is accessing the blocked site, not you. This allows you to read the blocked content translated into a number of different languages. You can use the translation service to bypass blocking, even if you don't actually need to translate the text. You do this by choosing translation from a language that does not appear on the original Web site back to the original language. For example, to use a translation service to view an English-language Web site, choose translation from Chinese to English. The translation

service translates only the Chinese sections (there are none), and leaves the English sections (which is the whole Web page) untranslated. Popular translation services include and The example below illustrates the three steps necessary to view a page in Babelfish. First, enter the URL of the Web site you wish to visit:

Next, choose the language you wish to read the Web site in. In this example, we tell Babelfish to translate from Korean to English. Since there is no Korean text, the page will remain untranslated.

When you have chosen the language, click "Translate" and the page displays. Of course this requires that the translator site itself is accessible, which is not always the case because some blocking authorities are aware of the potential use of translators for circumvention. For instance is not accessible in Saudi Arabia, according to

Low-Bandwidth Filters Low-bandwidth filters are Web services designed to make browsing the Web easier in places where connection speeds are slow. They remove or reduce images, remove advertisements, and otherwise compress the Web site to make it use less data, so that it downloads faster. But, as with translation and aggregation services, you can also use low-bandwidth filters to bypass simple Web site blocking by fetching Web sites from their servers rather than from your computer. One useful low-bandwidth filter is at

Web archive The cache (the Wayback Engine - allows users to see archived versions of web pages of the past. Millions of Web sites and their associated data (images, source code, documents, etc.) are saved in a gigantic database. Not all Web sites are available, however, because many Web site owners choose to exclude their sites; also snapshots usually take at a long time to be added.

Using e-mail services E-mail and Web mail services can be used to share documents with groups of friends or colleagues, and even to browse the Web.

Accessing Web pages through e-mail Similar to low-bandwidth filters, there are services intended for people with slow or unreliable Internet connections that let you request a Web page via e-mail. The service sends a reply e-mail that includes the requested Web page either in the body of the message or as an attachment. These services can be quite cumbersome to use, since they require you to send a separate request for one or more Web pages, and then wait for the reply, but, in certain situations, they can be very effective at reaching blocked Web pages, especially if you use them from a secure Web mail service.

Web2mail One such service is . To use it, send an e-mail message to with the Web address (URL) of the Web page you want in the subject line. You can also perform simple Web searches by typing searches into the subject line. For example you can search for censorship circumvention tools by typing "search censorship circumvention tools" in the subject line of an e-mail message and sending it to . This way is sensitive to content filtering.

EmailTheWeb Another service of the same kind is EmailTheWeb, that allows you to e-mail any Web page to anyone, including to yourself. To send the Web page by e-mail you will need to register on the site or to use your Gmail account. The free service allows you to send up to 25 pages per day. This way is also sensitive to content filtering. You can find more information and support on this topic on the ACCMAIL mailing list. To subscribe, send an email with "SUBSCRIBE ACCMAIL" in the body to

WEB2PDFCONVERT To receive any website in your email as a PDF document send a message to: SUBMIT@WEB2PDFCONVERT.COM simply write the URL you want to retrieve in the subject or body of the message and leave the rest of the message blank, you should receive a copy of the requested website in your inbox in a few minutes.

RSS to e-mail Some platforms offer a similar Web to e-mail service, but with a focus on RSS feeds rather simple Web pages; they include:
   

FoE (Feed over Email) is another interesting project of the same kind, created by Sho Sing Ho from the Broadcasting Board of Governors. Technically, FOE is built on top of SMTP and work on most email servers as long as the user has access to POP3 and SMTP. That allows users to receive RSS feeds from foreign websites without the need to find a working proxy server or install any proxy software. This project is still under development. The progress of FoE can be followed here: Using Web mail to share documents If you are trying to share documents online, but want to control who can see them, you can keep them in a private space where they are visible only to those with the correct password. A simple way to share documents among a small group of friends or colleagues is to use a single Web mail account with an online e-mail provider, such as Gmail (, and to share the user name and password with those who need to access the documents. Since most Web mail providers are free, it is easy to switch to a new account at intervals, making it harder for anyone outside the group to keep track of what you are doing. A list of free online e-mail providers is located at Using IP address You can use IP address instead of using address name of specified websites. To obtain an IP address from a website: Go to start>run (type cmd) and then hit enter or go to accessories >command prompt In this black window type for example “ping” . Then hit enter. Now you can find its IP after from” Now open a new explorer and type above IP in address bar and then hit enter. You are looking!!! From its IP, You can use this for some sites but can’t work for all websites.

Advantages and Risks These simple techniques are quick and easy to use; you can try them with minimal effort. Many of them will work at least some of the time in many situations. However, they are also easy to detect and block. Since most of them do not encrypt or otherwise hide your communications, they are also vulnerable to keyword-based blocking and monitoring.

Use either very old or very new technology
Sometimes a censor's filtering and monitoring techniques are only applied to current standard Internet protocols and services, so consider using very old or very recent technology that may not be blocked or monitored. Before the advent of instant messaging (IM) software (Windows Live Messenger, AIM, etc.) group communication was performed using Internet Relay Chat (IRC), a protocol that allows real-time Internet text messaging. Although less popular than its successors, IRC still exists and is still widely used by a big community of Internet users. A bulletin board system (BBS) is a computer running software that allows users to connect, upload and download software as well as other data, read news, and exchange messages with other users. Originally users would call a telephone number using their modems to access these systems, but by the early 1990s some bulletin board systems also allowed access over Internet interactive text protocols, such as Telnet and, later, SSH. In this regard, new technologies enjoy many of the same benefits as old technologies, as they are used by limited numbers of users and therefore are less subject to censorship. The new Internet protocol IPv6, for example, is already deployed over some ISPs in some countries, and usually it is not filtered.

Alternative uses for Web services Many Internet users whose connections are censored have started using Web services in ways different than those for which they were initially designed. For example, users have employed the chat capabilities of some video games to discuss sensitive matters that would otherwise be detected in common chat rooms. Another technique is to share a single e-mail account and save the conversation in the "Drafts" folder to avoid sending any e-mails over the Internet. Online backup services such as and have been used by activists to distribute and share documents, as well as other kinds of data. It is possible to use any other file sharing website with free account to log in and leave your messages for other friend with sharing link or with the same user and password. Some website support desktop tools as well and if it is hard to log in directly into the website, then using these tools is interested. Among them is Mega manager from ( Services that are intended for translation, caching, or formatting have been used as simple proxies to bypass Internet censorship. Prominent examples are Google Translator, Google Cache, and However, there are many creative applications, such as (takes screenshots of Web sites), (creates a PDF from a Web site), (creates a PNG image from a URL), and (creates easy-to-read documents for e-book readers, such as Nook and Kindle).

Any communication channel could be a circumvention channel
If you have any kind of communication channel with a co-operative person or computer outside of the censorship you're experiencing, you should be able to turn it into a means of circumventing censorship. As mentioned above, people have already used video game chat to bypass censorship because censors often didn't think to monitor or censor it or to block access to popular video games. In games that allow players to create sophisticated in-world objects, people have discussed the idea of creating in-world computers, TV screens, or other devices that players could use to get uncensored access to blocked resources. People have also suggested the idea of disguising information within social networking site profiles. For example, one person could put the address of a Web site he wanted to access in a disguised form inside his social networking site profile. A friend with uncensored access would then create an image of the contents of that site as a graphics file and post that in a different profile. This process could be automated by software so that it happens quickly and automatically, rather than requiring human beings to do the work. With the help of computer programming, even a channel that simply allows a small amount of numeric or textual information to flow back and forth can be converted into a communications channel for a Web proxy. (When a channel hides the existence of some kind of communications entirely, it's called a covert channel.) For example, programmers have created IP-over-DNS or HTTP-over-DNS proxy applications to circumvent firewalls using the Domain Name System (DNS). An example is the iodine software at You can also read documentation for similar software at and With these applications, a request to access something is disguised as a request to look up the addresses of a large number of unrelated sites. The content of the information requested is then disguised as the content of the replies to these requests. Many firewalls are not configured to block this kind of communication, because the DNS system was never intended to be used to carry end-user communications rather than basic directory information about sites' locations. Many clever applications that use covert channels for circumvention are possible, and this is an area of ongoing research and discussion. To be useful, these require a dedicated server elsewhere, and the software at both ends must be set up by technically sophisticated users.

Web Proxies
A proxy allows you to retrieve a Web site or other Internet resource even when direct access to that resource is blocked from your location. There are many different kinds of proxies, including:
 

Web proxies, which only require that you know the proxy Web site's address. A Web proxy URL may look like . HTTP proxies, which require that you or a piece of software modify your browser settings. HTTP proxies only work for Web content. You may get the information about a HTTP proxy in the format or "". SOCKS proxies, which also require that you or a piece of software modify your browser settings. SOCKS proxies work for many different Internet applications, including e-mail and instant messaging tools. The SOCKS proxy information looks just like HTTP proxy information.

A Web proxy is like a browser embedded inside a Web page, and typically features a small form where you can submit the URL of the Web site that you want to access. The proxy then shows you the page, without requiring that you connect to it directly. When using a Web proxy, you do not have to install software or change settings on your computer, which means that you can use a Web proxy from any computer, including those at Internet cafe. Simply enter the URL of the Web proxy into your browser, enter the destination URL you wish to visit into the Web proxy, and press Enter or click the submit button. Once you are viewing a page through a Web proxy, you should be able to use your browser's forward and back buttons, click on links and submit forms without losing your proxied connection to the filtered site. This is because your proxy has rewritten all of the links on that page so that they now tell your browser to request the destination resources through the proxy. Given the complexity of today's Web sites, however, this can be a difficult task. As a result, you might find that some pages, links or forms "break out" of the proxied connection. Typically, when this happens, the Web proxy's URL form will disappear from your browser window.

How can I find a Web proxy?
You can find Web proxy URLs at sites such as By signing up for a mailing list such as the one at, By following a country-specific twitter feed, or simply by searching for "free Web proxy" in a search engine. lists thousands of free Web proxies:

Examples of Web proxy platforms include CGIProxy, PHProxy, Zelune, Glype, Psiphon, and Picidae. As mentioned above, these are not tools that you install on your own computer. They are server software that someone else must install on a computer that is connected to the Internet in a location that is not subject to filtering. All of these platforms provide the same basic functionality, but they look different and may have different strengths and weaknesses. Some are better at certain things, such as streaming videos or displaying complex Web sites accurately. Some Web proxies are private. These are usually accessible only to a small group of users known to the individual running the proxy or to customers who pay for the service. Private Web proxies have certain advantages. Specifically, they may be:
  

more likely to remain undiscovered and therefore accessible less congested and therefore faster More trustworthy, assuming they are encrypted (see below) and run by someone you know.

Access may be restricted by requiring users to log in with a username and password or simply by preventing the proxy URL from appearing in public directories such as those described above. Web proxies are easy to use, but they have major disadvantages relative to other circumvention tools. As a result, people often use them as a temporary way to obtain and learn how to use more advanced tools, which must often be downloaded from Web sites that are themselves filtered. Similarly, access to a Web proxy can be useful when attempting to fix or replace another tool that has stopped working.

It is a server that functions as a relay between the user and a destination Web site. It hides the IP address of the user's machine from the Web site and may provide encryption on the user side. Many organizations create their own anonymous proxy servers, and there are public access anonymous proxy servers on the Internet that can be used by anyone." From, , , , , , , ,, , , , ,, , , , , , , , ,, , , , , , , , , , , , , , , , , , , , ,, ,, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Web Proxy Lists

Note... I would suggest that you try to avoid web-based HTTP/CGI proxies. They are not serious tools for achieving anonymity, but are a great tool for accessing blocked content. Remember, requests are still sent to your ISP unencrypted and then on to the proxy server, which you may know very little about, and then out to the Internet. If we don't know anything about the host we're sending our data to, how can we be sure we can trust them? Services like HideMy*** can be seen as trustworthy, as they have a good track record in the business of anonymisation and proxies. I can only recommend 'elite' or 'highly anonymous' HTTP proxies are genuine solutions. Choose your proxy solution wisely.

Compatibility issues with Web proxies
Web proxies only work for Web traffic, so they can’t be used for other Internet services such as e-mail or instant messaging. Many are also incompatible with complex Web sites like Facebook, streaming multimedia content on sites such as YouTube, and encrypted sites that are accessed through HTTPS. This latter restriction means that many Web proxies will be unable to help you reach filtered sites that require a login, such as Web-based e-mail services. Worse yet, some Web proxies cannot themselves be accessed through HTTPS. If you use such a proxy to log in to a destination site that is normally secure, you may be putting your sensitive information, including your password, at risk. Security issues like this are discussed in more detail below. With the notable exception of the HTTPS concerns described above, most Web proxy compatibility issues can be resolved by using the "mobile" or "basic HTML" version of the destination Web site provided one is available. Unfortunately, relatively few sites offer this kind of simplified interface, and even fewer do so in a way that exposes all of the site's functionality. If a Web site does provide a mobile version, its URL will frequently begin with an "m" instead of "www." Examples include,, and You can sometimes find a link for the mobile or basic HTML version of a Web site among the small links toward the bottom of the site's main page.

Security risks with Web proxies
You should be aware of some of the risks associated with the use of Web proxies, particularly those operated by individuals or organizations you do not know. If you use a Web proxy simply to read a public Web site such as, your only real concerns are that:
 

Someone might learn that you are viewing a censored news source Someone might learn which proxy you rely on to do so.

Furthermore, if your Web proxy is working properly, and if you access it through HTTPS, the former information should only be available to the administrator of the proxy itself. However, if you rely on an insecure HTTP connection or if your proxy malfunctions (or is poorly designed) this information will be revealed to anyone who might be monitoring your Internet connection. In fact, unencrypted Web proxies do not work at all in some countries, because they cannot circumvent filters that rely on keywords, rather than URLs or IP addresses, to block content. For some users, the risks above are not a major concern. However, they may become quite serious if you intend to use a Web proxy to access certain types of online resources, such as:

    

sites that require you to log in with a password sites through which you intend to access sensitive information sites through which you intend to create or share content online commerce or Web banking sites Sites that support HTTPS encryption themselves.

In such cases, you should avoid using insecure or untrusted Web proxies. In fact, you might want to avoid using a Web proxy altogether. While there is no guarantee that a more "advanced" tool will be more secure, the challenges that installable circumvention software must address in order to keep your traffic private are generally less complex than those faced by Web proxy software.

Obfuscation is not encryption
Some Web proxies, most notably those that lack support for HTTPS, use simple encoding schemes to circumvent poorly-configured domain name and keyword filters. One such scheme, called ROT-13, replaces each character with whatever lays 13 places ahead of it in the standard Latin alphabet. (See to try it out for yourself.) Using ROT-13, the URL becomes uggc://jjj.oop.pb.hx, which would make it unrecognizable to a very basic keyword filter. Proxy designers have found this trick useful even in countries where keyword filtering is not present, because Web proxies often include the target URL inside the actual URL that your browser sends to the proxy every time you click on a link or submit a new address. In other words, when using a proxy, your browser might request instead of just, but a domain name filter written to catch the latter would catch the former just as readily., on the other hand, might slip through the filter. Unfortunately, character encoding schemes are not very reliable. After all, there is nothing to prevent a censor from adding "jjj.oop.pb.hx" to the blacklist along with "" (Or, better yet, she could add "uggc://" to the list, which would block all use of the proxy.) The important thing to remember about character encoding is that it does not protect your anonymity from third party observers, who can still track the list of sites that you visit. And, even if it is applied to the full text of the pages you view and content you submit (rather than just to URLs), it still can not provide confidentiality. If these things matter to you, restrict your use of Web proxies to those that support HTTPS. Don't forget, the proxy administrator can see everything. The advice above emphasizes the importance of HTTPS, both on the censored target site and on the proxy itself, when using a Web proxy to create or obtain sensitive information. However, it is important to note that even when you access a secure site through a secure proxy, you are still putting a great deal of faith in whoever administers your Web proxy, as that individual or

organization can read all of the traffic that you send or receive. This includes any passwords that you might have to submit in order to access the destination Web site. Even the more advanced circumvention tools, which tend to require that you install software on your computer, must rely on some kind of intermediary proxy in order to circumvent Web filters. However, all reputable tools of this kind are implemented in such a way as to protect the content of HTTPS Web traffic even from the circumvention services themselves. Unfortunately, this is not possible for Web proxies, which must rely more heavily on good old-fashioned trust. And trust is a complicated function that depends not only on a service administrator's willingness to protect your interests, but also on her logging and record-keeping policies, her technical competency, and the legal and regulatory environment in which she operates.

Anonymity risks with Web proxies
Tools designed to circumvent filtering do not necessarily provide anonymity, even those that might include words like "anonymizer" in their names! In general, anonymity is a much more elusive security property than basic confidentiality (preventing eavesdroppers from viewing the information that you exchange with a Web site). And, as discussed above, even to ensure basic confidentiality through a Web proxy requires, at the very least, that you:
   

use an HTTPS Web proxy connect through that proxy to an HTTPS destination Web site trust the proxy administrator's intentions, policies, software and technical competence Heed any browser warnings,.

All of these conditions are also prerequisites for any degree of anonymity. If a third party can read the content of your traffic, he can easily connect your IP address with the list of specific Web sites that you visit. This is true even if, for example, you log in to those sites or post messages on them using a pseudonym. (Of course, the opposite is true, as well. Even a perfectly secure proxy can not protect your identity if you sign your name to a public post on the destination Web site!)

Advertising, viruses and malware
Some of the people who set up Web proxies do it to make money. They may do this simply and openly by selling advertisements on each proxied page, as in the example below. Or, a malicious proxy administrator might try to infect his users' computers with malware. These so-called "drive-by-downloads" can hijack your computer for spamming or other commercial or even illegal purposes. The most important thing you can do to protect yourself against viruses and other malware is to keep all of your software ; especially your operating system and your anti-virus scanner updated. You can also block ads by using the AdBlockPlus extension ( and some malicious content by using the NoScript extension ( Both of these extensions are for the Firefox Web browser. You can find more information on avoiding the risks described above on the StopBadware Web site (

Cookies and scripts
There are also risks associated with the use of cookies and embedded scripts. Many Web proxies can be configured to remove cookies and scripts, but many sites (for example, social networking sites like Facebook and media streaming sites like YouTube) require them to work properly. Web sites and advertisers can use these mechanisms to track you, even when you use proxies, and to produce evidence that, for example, the person who did one thing openly is the same person who did another thing anonymously. Some cookies may be saved on your computer even after you restart it, so it might be a good idea to allow only selective use of cookies. In Firefox, for example, you can instruct the browser to accept cookies only "Until I close Firefox". (Similarly, you can instruct your browser to erase your browsing history when you close it.) Generally speaking, however, Web proxies are extremely limited in their ability to protect your identity from the Web sites that you access through them. If this is your goal, then you will have to be very careful how you configure your browser and proxy settings, and you might want to use a more advanced circumvention tool.

Helping others
If you are in a country with unrestricted Internet access and you are willing to help others get around censorship, you can install a Web proxy script on your own Web site (or even on your home computer), as discussed in the Helping Others.

Installing Web Proxies
If you have access to a Web server in a country which is not censoring access to the Internet, you can install a Web proxy, which is a small software written in the programming languages PHP, Perl, Python or ASP. Installation of Web-based circumvention software requires some technical expertise and resources (a compatible Web hosting and sufficient bandwidth). If you want to install your own Web proxy, you need one of the following:

 

a Web hosting space with PHP support (which can be purchased for a few US dollars a year from hosting companies such as or, or provided by your school or university) a virtual (VPS) or dedicated server (which are more expensive and more complicated to use) A PC connected to a broadband connection (with a publicly routable IP address).

Public and private Web proxies Public Web proxies are available to anyone able to search them, on search engines such as Google for example. Public Web proxies and anonymity services may be found by users and those authorities implementing filtering, so they are more vulnerable to blacklisting. The locations of Private Web proxies are only known to the intended users. Therefore, private Web proxies are best suited for users who require stable circumvention services for Web traffic and have trusted contacts in non-filtered locations with sufficient technical skills and available bandwidth to set up and maintain the Web proxy. The chances of private Web proxies being detected and blocked are lower than those of public circumvention services. This is also the most flexible circumvention option available for simple Web traffic and is less likely to be discovered and blocked than a public Web proxy, particularly if it is used with SSL encryption.

Features of Web proxies Web proxies can be set up with some level of customization tailored to the specific needs of the end user. Common customizations would include changing the port number that the Web server runs on and implementing encryption such as SSL. Since some blacklists may block keywords associated with popular proxy software, changing items like the default URL, the name of the script, or elements of the user interface can also reduce the risk of automated detection and blocking of the proxy. It is possible to protect the use of the Web proxy by enabling .htaccess with a username and a password.

When using SSL, it's also useful to create an innocuous Web page at the root of the Web server and conceal the Web proxy with a random path and file name. Although intermediaries may be able to determine the server you are connecting to, they will not be able to determine the requested path because that part of the request is encrypted. For example, if a user connects to, an intermediary will be able to determine that the user connected to but they will not know that the user requested the Web proxy. If the Web proxy operator places an innocuous page at, then the Web proxy is less likely to be discovered by monitoring network transmissions. A valid SSL certificate which is trusted in all popular Web browsers is available for free at There are several free open source Web proxies available on the Internet. The main differences are the programming languages they are written in, since not every Web server supports every programming language. The other big difference is the compatibility of the script with modern Web sites with technologies like AJAX (used by GMail or Facebook) or streaming Flash video (used by YouTube).

Popular free Web proxy programs include:
 

CGIProxy ( a CGI script written in the Perl programming language that acts as both an HTTP and an FTP proxy. Peacefire's Circumventor ( an automated installer program that makes it much easier for nontechnical users to install and configure CGIProxy on a Windows machine. SabzProxy ( both an HTTP and an FTP proxy. It is based on the legacy code of PHProxy written in PHP with new features, such as random encoding of the URL, to make it harder to block. Glype Proxy ( another free-to-use, web-based proxy script, also written in PHP.

The sites of these Web proxies provide instructions on how to set them up. Basically, this involves downloading the script, extracting it on the local hard disk, uploading the script via FTP or SCP to your Web server, setting permissions and testing the script. The following example is for the installation of SabzProxy, but the steps are similar for other Web proxies.

Home page: Psiphon1 is an open-source Web proxy platform that has changed quite a bit over the past few years. It differs from other proxy software (such as CGIProxy and Glype) in various ways, depending on how it is configured on the server. In general, Psiphon:
     

is accessible through HTTPS supports access to HTTPS destination sites offers improved (though far from perfect) compatibility with a few complex Web sites, including YouTube may or may not require you to log in with a username and password allows you to register an e-mail address to receive new proxy URLs from the administrator in the event that your proxy is blocked Allows you to invite others to use your proxy (assuming it is configured to require a password).

The current version of the Psiphon server software runs only on Linux, and is much more difficult to install and administer than most other proxies. It is designed primarily to facilitate the operation of a large scale, blocking-resistant circumvention service for those who lack the ability to install and use more advanced tools.

Psiphon development
Psiphon 1, the original version of the Web proxy platform, was designed to run on Windows, and allowed a non-expert computer user in a country that does not filter the Internet to provide basic circumvention services to specific individuals from countries that do. It was easy to install, easy to use and featured partial support for HTTPS, which made it more secure than many of the alternatives. It also required users to log in, which helped prevent congestion and reduced the likelihood that these small Web proxies, called nodes, would be targeted for blocking. Psiphon 1 is no longer maintained or supported by the organization that developed it. Psiphon 2 was completely rewritten, with an eye toward performance, security, compatibility and scalability in the context of a centralized service model. These goals have been met with varying degrees of success. Initially, a Psiphon 2 user was required to log in to a particular private node with a username and password. Psiphon, Inc. gave a few early users from each region additional privileges that allowed them to invite others to access their proxies. Early Psiphon 2 proxies also required users to ignore "invalid certificate" browser warnings because, while they were accessible through HTTPS, their administrators were unable or unwilling to purchase signed SSL certificates. All Psiphon private nodes deployed by the company itself now have signed

certificates and should not trigger browser warnings. Obviously, this might not hold true for third-party installations of the Psiphon software. Finally, all Psiphon users now earn the right to send a limited number of invitations. Psiphon 2 open nodes, which were implemented somewhat later, can be used without logging in. An open node automatically loads a particular homepage, and presents itself in a particular language, but can then be used to browse elsewhere while evading online censorship. Open nodes include a link through which a user can create an account and, optionally, register an email address. Doing so allows the proxy administrators to send a new URL to users whose nodes are blocked from within their country. In general, open nodes are expected to be blocked and replaced much more quickly than private nodes. As with new private nodes, all Psiphon open nodes are secured using HTTPS, and those operated by Psiphon, Inc. identify themselves using valid, signed certificates.

Psiphon2 Psiphon2 is a private, anonymous webproxy servers system. To use psiphon2 you need the web address (URL) of the proxy server and an account (username and password). You may receive an invitation to create account on psiphon2 from a user who already has a psiphon2 account.

How can I get access to a Psiphon node? To limit and monitor the blocking of its proxies, Psiphon, Inc. has no centralized way to distribute open nodes (which it sometimes refers to as right2know nodes). One English language open node, dedicated to the Sesawe circumvention support forum, is available at Other open nodes are distributed privately (through mailing lists, twitter feeds, radio broadcasts, etc.) by the various content producers that make up Psiphon's client base. the link may not be longer available Psiphon private nodes work differently. Even if it were possible to print an invitation link in this book, it would be ill-advised, as the whole point of maintaining a private node is to limit its growth and preserve some resemblance to a social network of trust among its members. After all, a single invitation sent to a single 'informer' could be enough to get a node's IP address added to a national blacklist. Worse yet, if that invitation were accepted, the informant would also receive any replacement proxy URLs sent out by the system's administrators. If you do receive an invitation, it will include a link similar to the following, , which will allow you to create an account and register an e-mail address. To do so, follow the instructions under "Create an account", below. After creating your account, you no longer need to use the invitation link. Instead, you will log in through a somewhat easier-to-remember URL such as

Using a Psiphon open node The first time you connect to an open Psiphon proxy, you will see the "Psiphon Terms of Use and Privacy Policy." Please read the terms carefully, as they contain important security advice as well as information about how the proxy administrator claims to handle your data. In order to use the proxy, you must click Agree. After you accept the Terms of Use, Psiphon will load the default home page associated with that node, as shown below. You can follow the links displayed on this page, which will automatically request content through the proxy, or you can visit other Web sites using the blue URL bar (called the Bluebar in Psiphon lingo) at the top of your browser window.

Creating an account As long as you remember or bookmark the URL of an unblocked open node, you can use it to access filtered Web sites. Creating an account allows you to modify certain preferences, including the proxy's language and default home page. It also allows you to register an e-mail address so that the node's administrator can e-mail you a new proxy URL if this one gets blocked. To do so, click on the "Create account" link in the Bluebar. If you receive an invitation to a Psiphon private node, the steps require to create your account are identical to those described below.

When filling out the registration form, you might want to choose a username that is not connected to your real identity through e-mail services, social networking sites, or other such platforms. The same applies to your e-mail address, if you choose to register one. Most other users of your proxy are prevented from seeing your username or your e-mail address, but both items are stored in a database somewhere and are visible to Psiphon administrators. If you choose to register an e-mail address, it is recommended that you select one that allows you to access your e-mail through an HTTPS connection. Free e-mail providers that support HTTPS include,, and To

prevent the automated registration of Psiphon accounts, you must read the number displayed on the Security code image and enter it in the last field. When you are done, click "Create account".

You should see a message confirming the successful creation of your account. From now on please use the URL displayed on this page to log in to your Psiphon node. Note that it includes an HTTPS prefix and a short suffix ("/001" in the image above). You might want to print out this welcome page or bookmark the linked URL (but be careful not to bookmark the welcome page itself, by accident). Or course, you will also need the username and password that you chose in the steps above. This welcome page might also provide some advice, as shown above, about "invalid security certificate" warnings and the need to accept them in order to use Psiphon. In fact, these instructions are outdated, and you should no longer follow them. If, when connecting to a Psiphon proxy, you see warnings such as those displayed below, you should pay attention to them. If that happens, you might want to close your browser and contact or for additional advice.

Inviting others If you use an account to log in to your Psiphon proxy, you will eventually gain the ability to invite others. In order to help prevent blocking, you will collect invite tokens slowly, and there is a limit to the number that you can have at any one time. Obviously, if your proxy is an open node, you can simply send the proxy URL to others. However, after a blocking event, if you receive a follow-up "migration" message at your registered e-mail address, you might find that your account has been moved to a private node. You should never share the URL of a private node, except through Psiphon's built-in invitation mechanism. Once you have collected one or more invitations, you will see an link on your Bluebar that says something like Invite (1 remaining), as shown below.

There are two ways to invite others to use your Psiphon proxy:
 

The Send invitations method automatically sends invitation links to one or more recipients. The invitation messages will come from Psiphon, not from your own account. The Create invitations method generates one or more invitation links for you to distribute through other channels.

If you click on the Bluebar link, you will be taken to the Send invitations screen. In order to create an invitation link without e-mailing it, you must click on the Profile link first, then "Create invitations".

Send invitations Click "Invite" on your Bluebar or Send invitations on the Profile screen. Enter an email address for each person to whom you want to send an invitation, one address per line, and then click "Invite". You will see a message telling you that one or more messages have been queued, which means that Psiphon will e-mail out your invitation links within the next few minutes. Remember that you should only invite people you know to private nodes.

Create invitations Click "Create invitations" in the Profile screen. Select the number of invitation links to create and click "Invite".

You may distribute these invitation links through whatever channels are available to you, but:
  

each invitation can be used only once for private nodes, do not display the links publicly, to avoid exposing the proxy URL for private nodes, you should only invite people you know.

Reporting a broken Web site Some Web sites that rely on embedded scripts and complex Web technology like Flash and AJAX may not display properly through Psiphon. In order to improve Psiphon's compatibility with such Web sites, the developers need to know which sites are problematic. If you find such a site, you can report it easily by clicking the Broken Page link on the Bluebar. If you provide a brief explanation of the problem in the Description field, it will allow the Psiphon development team to reproduce the error and help them find a solution. When you have finished, click "Submit" and your message will be sent to the developers.

Psiphon Swarm
Psiphon Swarm is an open-source, free to download project that allows anyone to operate their own Psiphon service. It is currently under development to a version which will run on a dedicated plug computer making running your own Psiphon server as easy as plugging in a toaster. Psiphon Swarm is the candidate replacement for Psiphon 1 which was retired in September 2010. If you are developers to help push this effort forward; Look this open source project and Psiphon swarm can be found here:

Psiphon 3
The Psiphon 3 Circumvention System is a relay-based Internet censorship circumventer. The system consists of a client application, which configures user’s computer to direct Internet traffic; and a set of servers, which proxy client traffic to the Internet. As long as a client can connect to a Psiphon server, it can access Internet services that may be blocked to the user via direct connection. Features

 

Automatic discovery. Psiphon 3 clients ship with a set of known Psiphon servers to connect to. Over time, clients discover additional servers that are added to a backup server list. As older servers become blocked, each client will have a reserve list of new servers to draw from as it reconnects. To ensure that an adversary cannot enumerate and block a large number of servers, the Psiphon 3 system takes special measures to control how many servers may be discovered by a single client. Mobile ready. A Psiphon 3 client Android app will be available as part of the beta launch, and other mobile platforms are in the works. Zero install. Psiphon 3 is delivered to users as a minimal footprint, zero install application that can be downloaded from any webpage, file sharing site or shared by e-mail and passed around on a USB key. We keep the file size small and avoid the overhead of having to install an application. Custom branding. Psiphon 3 offers a flexible sponsorship system which includes sponsorbranded clients. Dynamic branding includes graphics and text on the client UI; and a region-specific dynamic homepage mechanism that allows a different home page to open depending on where in the world the client is run.

Chain of trust. Each client instance may be digitally signed to certify its authenticity. Embedded server certificates certify that Psiphon servers the client connects to are the authentic servers for that client. Privacy. Psiphon 3 is designed to respect user privacy. User statistics are logged in aggregate, but no individual personally identifying information, such as user IP addresses, are retained in PsiphonV log files. Agile transport. Psiphon 3 features a pluggable architecture with multiple transport mechanisms, including VPN and SSH tunneling. In the case where one transport protocol is blocked by a censor, Psiphon automatically switches over to another mechanism.

Coming soon:

IPv6 compatibility. Psiphon 3 is designed to be IPv6 compatible. This ensures the system is ready for the next generation Internet, and in the immediate term offers some additional circumvention capabilities as IPv6-based censorship lags behind the tools used to censor IPv4 traffic.

Security Properties Psiphon 3 is a circumvention system. To accomplish its design goals, it uses computer security technology including encryption and digital signatures. Using these algorithms does not mean Psiphon 3 offers additional security properties such as privacy or authentication of destination sites for users' Internet traffic.

Confidentiality. Traffic routed between a user's computer and a Psiphon proxy is encrypted and authenticated (using standard SSH and L2TP/IPSec VPN algorithms). The purpose of this encryption is to evade censorship based on deep-packet inspection of traffic, not to add confidentiality to the user's Internet traffic. The user's traffic is plaintext to the Psiphon proxy and to the Internet at large as it egresses from the Psiphon proxy. Put simply, Psiphon does not add HTTPS or equivalent security where it is not already in place at the application level. Anonymity. Psiphon is not an anonymity solution such as Tor. If a user connects to a Psiphon proxy that is beyond the monitoring of the censor he or she is circumventing, then the censor will only see that the user is sending encrypted traffic to a Psiphon proxy. The censor will know the user is using Psiphon. Psiphon does not defend against traffic analysis attacks the censor may deploy against traffic flowing to Psiphon proxies. The Psiphon proxy will know where the user is coming from, what their unencrypted traffic is, and what their destination is, and so the user is necessarily putting trust in the entity running the Psiphon proxy. Integrity. Psiphon was not designed to add integrity to Internet traffic. However, in the case where a censor is intercepting SSL/TLS traffic using compromised root CA keys, Psiphon adds integrity; but only if the user has secured a trusted client out of band and is using a Psiphon proxy beyond the control of the censor. Simply, the user's HTTPS traffic

happens to bypass the censors man-in-the-middle attack, and the Psiphon authentication system does not rely on the commercial Certificate Authority for most use cases. Availability. Psiphon is designed to make available Internet content that's otherwise censored. This is its primary design goal.

Compatibility Supported transport mechanisms: L2TP/IPSec VPN, HTTP/SOCKS Proxy over SSH Tunnel Planned transport mechanisms: PPTP VPN, DNS tunnel Supported client platforms: Windows XP/Vista/7, Android [TODO: version] Planned client platforms: ac OS X, Server platform: Debian 6.0

How to use Psiphon 3 Psiphon3 is a circumvention tool to bypass internet filtering with two ways, virtual privet network (VPN) and SSH technology. Now, Psiphon3 is compatible with windows but soon, the company will offer new version of the tool compatible with other operating system such as Android and Macintosh. Get this tool from: or you can send your mail to: and type in subject “Psiphon3”: without quotation mark or send mail to and type “٣ ‫ ”ﺳﺎﯾﻔﻮن‬in subject section. Note: is a website of Persian news and offer regularly new versions of some of circumvention tools such as Freegate, Ultra surf and Psiphon. Non Persian users can use goggle translate to go right page. Now Psiphon3 is on link below: This tool is very easy to use and no need installation, just run Psiphon3.exe like this:

Psiphon3 automatically connect to internet. If you use firewall, click on “allow this tool to connect “.it first try to establish a VPN and if it fails then try SSH.


SabzProxy ("green proxy" in Persian) is a free distributed Web proxy proposed by the team. It is based on the legacy code of PHProxy (which has not being maintained since 2007). For additional detail about the Web proxies concept, please refer to the previous chapter. The main improvement in SabzProxy, compared to PHProxy, is URL encoding. This makes SabzProxy harder to detect (PHProxy has a predictive footprint that means it is now blocked in several countries, including Iran). Only deep-packet inspection would allow SabzProxy servers to be detected and blocked. SabzProxy is localized in Persian but is fully functional in any language. Many people in various countries have used it to set up their own public Web proxy.

General information
Supported operating system

Localization Web site Support

Persian E-mail:

How do I access SabzProxy? SabzProxy is a distributed Web proxy. This means that there are neither central SabzProxy instances, nor a commercial entity designed to create and diffuse them. Rather, it relies on its community and users to create their own instances, and to share these to their network. You can access instances through various forums, or networks, and when you have access you are welcome to share it with your friends.

You can send an empty email to to have it or grab it here: If you own a Web hosting space and are interested in creating and sharing your SabzProxy instance with your friends and family, please refer to the Installing SabzProxy .

Installing SabzProxy
SabzProxy is only available in Persian, but the GUI is simple and is still easy to understand. These instructions describe the most common case: using FTP to transfer SabzProxy to a Web space account that already supports PHP. For this technique, you will also need an FTP client program such as FileZilla ( Portable version of FileZilla is available here: Although this method is the most common, it isn't applicable to every situation (for example if you're setting up your own server through the command line), but the steps should be similar. 1. The first step is to download the SabzProxy archive file from 2. Next, extract the contents of the .zip file by clicking with the right mouse button on the file and choosing Extract All.

3. Open the config.php file with a basic text editor (e.g. Notepad for Windows, Gedit or Nano for Linux systems, Texteditor for MacOS)

4. Edit line 8, starting with $config_key. Type a random string between "". This string will be used to randomize the URL encoding, so make it as random as possible.

5. You can also configure a couple of options, such as the welcoming text and links. 6. Open FileZilla, enter the server (host), username and password of your Web space and click on Quickconnect (or similar if you are using a different FTP client). 7. The left part of the FTP client window represents your local PC, so you can locate the SabzProxy files that you have just extracted here.

8. Drag-and-drop the files from the left part of the FTP client window to the right part, which represents the remote FTP server (your Web space). 9. You can now access SabzProxy by browsing to the domain of your Web space and the directory to which you uploaded PHProxy. If this doesn't work, your server account may not support PHP, or support for PHP may be disabled or may require additional steps. Please refer to the documentation for your account or the Web server software in use. You can also look for an appropriate support forum or ask your web server operator for additional help.

How does it work? Here's an example that illustrates how SabzProxy works. 1. Enter the address of the SabzProxy instance you are using in your browser. 2. In the Web Address box on the SabzProxy page, enter the address of the censored Web site you want to visit. For example, You can keep the default options. 3. Click Go or Enter.

The Web site is displayed in the browser window.

You can see the SabzProxy green bar within the browser window, and the BBC Farsi Web site below the bar. To continue browsing, you can either:
 

Click any link from the current page. The Web proxy will automatically retrieve linked pages. Enter a new URL in the Address box at the top of the page.

Advanced options Usually, you can keep the default options to browse. However you can choose between several advanced options:

Include mini URL-form on every page Check this option if you want to have a form on the proxified Web sites so that you can enter new URLs without going back to the start page of SabzProxy. You may want to deselect this option if you have a small screen, so you have more space for the target Web page.

Remove client-side scripting (i.e., JavaScript) Check this option if you want to remove dynamic technology scripting from Web pages. Sometimes JavaScript can cause unwanted issues, as it is also used to display online ads or even to track your identity. Browsing mobile/light versions of complex Web sites (like Web mail services, or social networking platforms) is also an alternative to avoid JavaScript issues while using SabzProxy. Allow cookies to be stored Cookies are small pieces of text files which are often automatically stored by your Web browser. They are required for Web sites which need authentication but can also be used to track your identity. With this option turned on, every cookie is stored for a long time. If you want to allow cookies for this session only, deselect this option and select "Store cookies for this session only" Show images on browsed pages If you are on a slow Internet connection, you may want deselect this option so the pages will be lighter, hence faster to load. Show actual referring Web site By default, your browser sends every Web site the URL you are coming from, where you have clicked on a link. These URLs are stored in the Web site log files and are analyzed automatically. For increased privacy, you can deselect this option. Strip Meta information tags from pages Meta tags are additional information stored in many Web sites to be used automatically by computer programs. Such information may include the name of the author, description of the site content or keywords for search engines. Filtering techniques could be run on these tags. You may leave this option checked to avoid presenting this information to keyword filters. Strip page title With this option turned on, SabzProxy removes the page title of the Web site, which you normally see in the title bar on top of your Web browser. This can be useful, for example to hide the name of the Web site you are visiting if you don't want surrounding people to see this when you minimize your browser. Store cookies for this session only Similar to the "Allow cookies to be stored" option; with this option turned on, cookies are only stored until you close your SabzProxy session by exiting your Web browser.

Proxy Settings of your browser and FoxyProxy
A proxy server allows you to reach a Web site or other Internet location even when direct access is blocked in your country or by your ISP. There are many different kinds of proxies, including:
 

Web proxies, which only require that you know the proxy Web site's address. A Web proxy URL may look like HTTP proxies, which require that you modify your Browser settings. HTTP proxies only work for Web content. You may get the information about a HTTP proxy in the format "" or "". SOCKS proxies, which also require that you modify your Browser settings. SOCKS proxies work for many different Internet applications, including e-mail and instant messaging tools. The SOCKS proxy information looks just like HTTP proxy information.

You can use a Web proxy directly without any configuration by typing in the URL. The HTTP and SOCKS proxies, however, have to be configured in your Web browser.

Default Firefox proxy configuration
In Firefox 10(windows), you enter the configuration screen by clicking on the Firefox tools menu at the top left on your screen and then selecting Options. In the pop-up window, select the icon labeled Advanced and then choose the Network tab. You should see this window:

Select Settings, click on "Manual proxy configuration" and enter the information of the proxy server you want to use. Please remember that HTTP proxies and SOCKS proxies work differently and have to be entered in the corresponding fields. If there is a colon (:) in your proxy information, that is the separator between the proxy address and the port number. Your screen should look like this:

After you click OK, your configuration will be saved and your Web browser will automatically connect through that proxy on all future connections. If you get an error message such as, "The proxy server is refusing connections" or "Unable to find the proxy server", there is a problem with your proxy configuration. In that case, repeat the steps above and select "No proxy" in the last screen to deactivate the proxy.

FoxyProxy FoxyProxy is a freeware add-on for the Firefox Web browser which makes it easy to manage many different proxy servers and change between them. For details about FoxyProxy, visit

Installation In Firefox 10 (windows), click on the Firefox menu at the top left on your screen and then select Add-ons. In the pop-up window, type the name of the add-on you want to install (in this case "FoxyProxy") in the search box on the top right and click Enter. In the search results, you will see two different versions of FoxyProxy: Standard and Basic. For a full comparison of the two free editions, visit, but the Basic edition is sufficient for basic circumvention needs. After deciding which edition you want, click Install. After installation, Firefox should restart and open the Help site of FoxyProxy. You should see the FoxyProxy icon at the bottom right.

Configuration For FoxyProxy to do its job, it needs to know what proxy settings to use. Open the configuration window by clicking the icon at the bottom right of the Firefox window. The configuration window looks like this:

Click on "Add New Proxy". In the following window, enter the proxy details in a similar way to the default Firefox proxy configuration:

Select "Manual Proxy Configuration", enter the host or IP address and the port of your proxy in the appropriate fields. Check "SOCKS proxy?" if applicable, then click OK. You can add more proxies by repeating the steps above. Usage You can switch among your proxies (or choose not to use a proxy) by right-clicking on the fox icon on the bottom right of your Firefox window:

To select a proxy server, simply left-click on the proxy you want to use. Note: there are some extensions designed specially to bypass censorship, among them are Torbutton and UltraSurf Firefox tool as shows above. They are good add-ons to simply toggle Tor or UltraSurf on or off.

Proxy Switcher to manage proxies on chrome
If you want to have and use multiple proxy tools on Google chrome, you should install Proxy Switcher to manage them all. In the other hand with this extension you will be able using Tor with chrome. Every proxy you want to use has a different profile. For example to run tor on Google chrome; first install Tor Vidalia Bundle which doesn't come with the Firefox browser. Then install it. The next thing to do is configure Google Chrome to use the tor proxy. Install Proxy Switcher to Google chrome from here Then open up Proxy Switcher and use these settings. Profile Name: Tor Check manual configuration HTTP Proxy: Port: 8118 Check use the same proxy server for all protocols

Then save it all. Next switch to the general tab and use these settings Check Quick Switch Check Binary Switch Profile 1: Leave as [Direct Connection] Profile 2: Tor

Now you can toggle Tor (or other proxy software) on and off by a little plugin at the top of your browser.

More useful extensions:
kb ssl enforcer : GeoProxy: Proxy based on location: Set chrome proxy from a list of proxies (generated based on country) you choose. Proxies are listed in the order of latency- select the country- click search to find proxies from that country (max 10 proxies will be listed sorted by latency)-- click on any of the proxies to set-If you want to use direct connection instead of proxy, click on 'Do not use proxy': Strong password generator:

Introduction to circumvention tools
The basic idea of circumventing Internet censorship is to route the requests over a third server which is not blocked and is connected to the Internet through a non filtered connection. This chapter explains some of the tools which make it possible to use such a server in order to defeat Internet blocking, filtering, and monitoring. The choice of which tool might best accomplish your objectives should be based on an initial assessment on the type of content you want to access, your available resources, and the risks of doing so. Tools to defeat Internet blocking, filtering and monitoring are designed to deal with different obstacles and threats. They may facilitate:

Circumventing censorship: enabling you to read or author content, send or receive information, or communicate with particular people, sites or services by bypassing attempts to prevent you from doing so. Similar to the operation of the Google cache or an RSS aggregator which can be used to access a blocked Web site indirectly. Preventing eavesdropping: keeping communications private, so that nobody can see or hear the content of what you're communicating (even if they might still be able to see with whom you're communicating). Tools that try to circumvent censorship without also preventing eavesdropping may remain vulnerable to censorship by keyword filters that block all communications containing certain prohibited words. For example, various forms of encryption, such as HTTPS or SSH, make the information unreadable to anyone other than the sender and receiver. An eavesdropper will see which user is connecting to which Web server, but from the content he can only see a string of characters that looks like nonsense. Remaining anonymous: the ability to communicate so that no one can connect you to the information or people you are connecting with “neither the operator of your Internet connection nor the sites or people with whom you're communicating. Many proxy servers and proxy tools don't offer perfect, or any, anonymity: the proxy operator is able to observe the traffic going into and out of the proxy and easily determine who is sending it, when they're sending it, and how often they're sending it; a malicious observer on either side of the connection is able to gather the same information. Tools like Tor are designed to make it difficult for attackers to gather this kind of information about users by limiting the amount of information any node in the network can have about the user's identity or location. Concealing what you are doing: disguising the communications you send so that someone spying on you will not be able to tell that you are trying to circumvent censorship. For example, Steganography, the hiding of text messages within an ordinary image file, may conceal that you are using a circumvention tool at all. Using a network with many kinds of users means that an adversary can not tell what you are doing because of your choice of software. This is especially good when others are using the same system to get to uncontroversial content.

Some tools protect your communications in only one of these ways. For example, many proxies can circumvent censorship but don't prevent eavesdropping. It's important to understand that you may need a combination of tools to achieve your goal. Each kind of protection is relevant to different people in different situations. When you choose tools that bypass Internet censorship, you should keep in mind what kind of protection you need and whether the particular set of tools you're using can provide that sort of protection. For example, what will happen if someone detects that you are attempting to circumvent a censorship system? Is accessing your main concern, or do you need to remain anonymous while doing so? Sometimes, one tool can be used to defeat censorship and protect anonymity, but the steps for each are different. For instance, Tor software is commonly used for both purposes, but Tor users who are most concerned with one or the other will use Tor differently. For anonymity reasons, it is important that you use the Web browser bundled with Tor, since it has been modified to prevent leaking of your real identity.

An important warning
Most circumvention tools can be detected with sufficient effort by network operators or government agencies, since the traffic they generate may show distinctive patterns. This is certainly true for circumvention methods that don't use encryption, but it can also be true for methods that do. It's very difficult to keep secret the fact that you're using technology to circumvent filtering, especially if you use a fairly popular technique or continue using the same service or method for a long period of time. Also, there are ways to discover your behavior that do not rely on technology: in-person observation, surveillance, or many other forms of traditional human information-gathering. We cannot provide specific advice on threat analysis or the choice of tools to meet the threats. The risks are different in each situation and country, and change frequently. You should always expect that those attempting to restrict communications or activities will continue to improve their methods. If you are doing something that may put you at risk in the location where you are, you should make your own judgments about your security and (if possible) consult experts.

Most often, you will have to rely on a service provided by a stranger. Be aware that they may have access to information about where you are coming from, the sites you are visiting and even the passwords you enter on unencrypted Web sites. Even if you know and trust the person running a single-hop proxy or VPN, they may be hacked or forced to compromise your information. Remember that the promises of anonymity and security made by different systems may not be accurate. Look for independent confirmation. Open source tools can be evaluated

by tech-savvy friends. Security flaws in open source tools can be discovered and fixed by volunteers. It is difficult to do the same with proprietary software. Achieving anonymity or security may require you to be disciplined and carefully obey certain security procedures and practices. Ignoring security procedures may dramatically reduce the security protections you receive. It is dangerous to think that it is possible to have a "one click solution" for anonymity or security. For instance, routing your traffic through a proxy or through Tor is not enough. Be sure to use encryption, keep your computer safe and avoid leaking your identity in the content you post. Be aware that people (or governments) may set up phishing fake Web sites and proxies that pretend to offer secure communication or censorship circumvention but actually capture the communications from unwitting users. Sometimes even "Policeware" may be installed on users' computers “ either remotely or directly “ that acts like malware, monitoring all activities on the computer even when it is not connected to the Internet and undermining most other preventive security measures. for more information about this please refer to section of this book . Pay attention to non-technical threats. What happens if someone steals your computer or mobile phone or that of your best friend? What if an Internet cafe staff member looks over your shoulder or points a camera to your screen or keyboard? What happens if someone sits down at a computer in a cafe somewhere where your friend has forgotten to log out and sends you a message pretending to be from her? What if someone in your social network is arrested and forced to give up passwords? If there are laws or regulations that restrict or prohibit the materials you are accessing or the activities you are undertaking be aware of the possible consequences.

FreeGate is a proxy tool for Windows users that was initially developed by DIT-INC to bypass Internet censorship in China. This specific program offers unrestricted access for Chinese users but restricted access for other users. The extent of this restriction is unknown, but I have successfully managed to search Google, load up YouTube and Facebook without hassle. This is a great choice for Chinese users. General Information Supported operating system

Localization Web site Support
       

English, Chinese, Persian, Spanish Forum: Medium. Medium. Unlimited. Unknown. Worldwide

Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: Server Location(s):

WOT Rating: Excellent. 15 MB of RAM usage when running. Fully Portable. It combines a web service with a stand-alone program Advantage: Reasonably good speeds, no installation necessary, great for Chinese users. Disadvantage: Restricted access for worldwide users outside of China. Developer's website: Download page: Version: 7.28 Download file size: 1.89 MB License type: Unrestricted freeware System requirements: 95 - 7

How to get FreeGate You can download the software for free at You will get a file with the extension .zip, which you have to extract first. Right-click on the downloaded file and select "Extract All", then click on the button "Extract". The resulting file is about 1.5 MB. The name of the executable file may look like a short series of letters and numbers (e.g. "fg725p.exe"). Installation When you run the application for the first time, you may see a Security Warning. You can accept this Security Warning by unchecking the box "Always ask before opening this file" and clicking Run. For more privacy, it is recommended to install packet filter and get its update too.

Running FreeGate Now the application should start and connect automatically to a server.

When the secure tunnel has started successfully, you will see the FreeGate status Window and a new instance of the Internet Explorer will open automatically with the URL "" loaded, depending on your version and language. This is the confirmation that you are using FreeGate correctly through an encrypted tunnel. When the secure tunnel has started successfully, you will see the FreeGate status Window and a new instance of the Internet Explorer will open automatically with the URL loaded, depending on your version and language. This is the confirmation that you are using FreeGate correctly through an encrypted tunnel.

If all has gone well, you can start browsing normally using the automatically-opened Internet Explorer window to get around Internet censorship.If you want to use another application with FreeGate (for example the Firefox Web browser or the Pidgin instant messaging client), you will have to configure them to use FreeGate as a proxy server. The IP is, and the port is 8580. Google chrome usually needs no configuration to use FreeGate. Under the Settings tab in FreeGate, you can choose your interface language from English, Traditional Chinese, Simplified Chinese, Farsi and Spanish. Under Status, you can track your upload/download traffic through the FreeGate network. The Server tab allows you to pick from several severs, one of which may be faster than your current connection. Note: it is highly recommended to use Google chrome instead of using IE (Internet explorer) to avoid of its security holes and possible penetration.

Simurgh (which means "phoenix" in Persian) is a lightweight stand-alone proxy software and service. This means that it can be run without any prior installation or administrator rights on the computer. You can copy it to your USB flash drive and use it on a shared computer (in an Internet cafe, for example). General Information

Supported operating system

Localization Web site Support

English E-mail:

Downloading Simurgh To use the Simurgh service, download the tool for free from It is available for any version of Microsoft Windows. The size of the file is less than 1MB, so it can be downloaded even on a slow Internet connection in a reasonable time. Using Simurgh To start Simurgh, click on the file you have downloaded. By default, files downloaded with Microsoft Internet Explorer are located on your Desktop and files downloaded with Mozilla Firefox are located in "My Documents" and then "Downloads".

Note that when you run Simurgh for the first time, you may encounter a Windows Security Alert which asks if you want to keep blocking Simurgh. Since Simurgh has to communicate with the Internet in order to work it is very important that you select "Unblock" or "Allow Access" (depending on your version of Microsoft Windows).

You may see this warning pop-up:

Or this one:

After you have successfully started Simurgh, click on Start to create a secure connection.

When the Start button changed to a Stop button, Simurgh has successfully connected to its servers.

Make sure you are connected to the Simurgh server Now a new window of your Internet Explorer browser will open with a test page. If you see your connection originating from another country, such as U.S.A., this confirms that Simurgh has successfully changed the settings of your browser and you are automatically surfing over the secure Simurgh connection.

You can also use the website to check where your connection appears to be from. If the websites shows your location very far away (in another country such as the USA), you are using the secure Simurgh connection.

Using Simurgh with Mozilla Firefox In order to use another web browser like Mozilla Firefox, you need to configure it to use the HTTP proxy "localhost" with the port 2048. In Firefox, you can find the proxy settings via Tools > Options > Network > Settings. In the "Connection settings" window choose "Manual proxy configuration" and enter "localhost" (without the quotemarks) as the HTTP proxy and the port 2048, as shown in the screenshot below. To accept the new settings, click OK.

UltraSurf, from developer UltraReach Internet Corp, is a proxy tool designed to help Chinese Internet users to get around their censorship. It may work for users in other countries as well. General Information Supported operating system

Localization Web site Support

English FAQ:

How to get UltraSurf You can download the free software (for Windows only), at or or (the latter page is in Chinese, but the download is still easy to find and in English). Installing and using UltraSurf Once you have downloaded the file, named something like "" (depending on the version number), extract it by right-clicking the file and selecting "Extract All". Double-click the new "u1006" icon to start the application.

UltraSurf will automatically open Internet Explorer and display the UltraSurf search page You can now start browsing using the instance of Internet Explorer that UltraSurf has launched.

If you want to use another application with UltraSurf (for example the Firefox Web browser or the Pidgin instant messaging client), you need to configure them to use the UltraSurf client as a proxy server: the IP is (your PC, also known as "localhost") and the port is 9666.there is also an extension for Firefox to switch directly to UltraSurf. Search; “UltraSurf” from tools>add-ons>search. UltraSurf Firefox tool 2 is compatible with Firefox 10. You can open the UltraSurf User Guide by clicking Help in the UltraSurf main window. Info on Chinese UltraSurf (wujie): Chinese user guide:

VPN Services
Virtual private network In general (but not always!), the networks get more secure down the road. For example, if you are in China at a cafe with an unencrypted wireless connection, requesting information about Liu Xiaobo: it's very possible that this piece of information is located on a server in Amsterdam. If so, your request will travel through multiple places and each hop is vulnerable: 1. the wireless network at the bar - everybody in and around the bar will be able to see your request; 2. the wireless modem/router of the bar - the bar owner, or somebody with physical access to this modem/router, will be able to see your request; 3. The (multiple) routers of the connection provider - in China these are controlled by the government (and probably blocked in this case), so the system administrator(s) of these networks will be able to see the request. Maybe some hundreds of system administrators have the access to 'sniff' your request. 4. Some routers are located in Europe - for example routers at the Germany. Most of these systems are very well maintained and secured, but the request is still viewable by the involved system administrators; 5. And finally your request will arrive at the server of Wikipedia in Amsterdam and of course the system administrator of this system will be able to see your request.

Securing the weak points
It's very important to understand that the weakest points on this path - the bar and in the country where you are - are also controlled by the people who are most interested in your requests. Therefore it's very interesting to secure this part of the path. It would be great if you can somehow change the path so it appears like your request originated in (for example) U.S.A instead of China. This is possible with VPN technology. In Addition, the moment you put a computer on the internet, it is likely to be probed for vulnerabilities by viruses and crackers hoping to conscript it into a zombie bot army. Read more about it here: Yikes! What is an internet user to do? We will help you configure your computer to prevent these attacks at the network level.

A VPN (virtual private network) encrypts and tunnels all Internet traffic between yourself and another computer. This computer might belong to a commercial VPN service, your organization, or a trusted contact. Because VPN services tunnel all Internet traffic, they can be used for e-mail, instant messaging, Voice over IP (VoIP) and any other Internet service in addition to Web browsing, making everything that travels through the tunnel unreadable to anyone along the way. If the tunnel ends outside the area where the Internet is being restricted, this can be an effective method of circumvention, since the filtering entity/server sees only encrypted data, and has no way of knowing what data is passing through the tunnel. It has the additional effect of making all your different kinds of traffic look similar to an eavesdropper. Since many international companies use VPN technology to allow employees who need access to sensitive financial or other information to access the companies' computer systems from home or other remote locations over the Internet, VPN technology is less likely to be blocked than the technologies used only for circumvention purposes. It is important to note that the data is only encrypted as far as the end of the tunnel, and then travels unencrypted to its final destination. If, for example, you set up a tunnel to a commercial VPN provider, and then request the Web page through the tunnel, the data will be encrypted from your computer to the VPN provider's computer at the other end, but from there it will be unencrypted to the servers run by the BBC, just like normal Internet traffic. This means that the VPN provider, the BBC and anyone with control over a system between these two servers, will, in theory, be able to see what data you sent or have requested.

Using VPN services VPN services might or might not require installation of client-side software (many rely on existing VPN support in Windows, Mac OS or GNU/Linux and so need no extra client software). Using a VPN service requires you to trust the owners of the service, but provides a simple and convenient method of bypassing Internet filtering, for free or for a monthly fee generally between 5 and 10 US dollars, depending on the service. Free services are often either adsupported, or limit the bandwidth and/or the maximum traffic allowed over a given period.

VPN and secure connections
A Virtual Private Network (VPN) is typically used to allow an employee access to a secure corporate network.

A normal internet connection

In a normal internet connection, all your traffic is routed from your computer through your ISP (Internet Service Provider) and out onto the internet and finally to its destination. At every step of the way, your data is being recorded and is vulnerable to man-in-the-middle attacks (the danger of this is much less if you are using a secure protocol like https).

Man-in-the-middle Attacks
the man-in-the-middle attack (often abbreviated MITM), bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle). A man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to the satisfaction of the other—it is an attack on mutual authentication. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority. So everyone is vulnerable to MITM attacks and it has done on face book already.

Popular free VPN services:

Hotspot Shield, According to a 2010 report from the Berkman Center, Hotspot Shield is overwhelmingly the most popular VPN service. For more details on how to get and use Hotspot Shield, read the "Hotspot Shield" chapter of this manual. UltraVPN, FreeVPN, CyberGhost, Air VPN, AirVPN offers free accounts without bandwidth or traffic restrictions and without ads for activists by request. Vpnod, VpnSteel, Loki Network Project, ItsHidden,

   

   

Examples of paid VPN services include Anonymizer, GhostSurf, XeroBank, HotSpotVPN, WiTopia, VPN Swiss, Steganos, Hamachi LogMeIn, Relakks, Skydur, iPig,, FindNot, Dold, UnblockVPN and SecureIX. You can find a list of free and paid VPN providers, with their monthly fee and technical characteristics at

Commercial VPN Services Commercial VPN (Virtual Private Network) services anonymize your internet activity by hiding your IP address from the world and showing their own company's IP address instead.,,,,,,,,,,,,,,,,,,,,,,,http://www.artofping.c om/,,,,,,,,,,,,,,,,,,,,,,,,,,,;intl=1,,,,,,,,,,,,,,,,,,,,,,,,,http://www.sli,,,,,,,,,

List of VPN with US IP Addresses: List of VPN with UK IP Addresses: List of OpenVPN-based VPN Services: My VPN Reviews : VPN and SSH Providers List: How to stop DNS leakage while using a VPN:

VPN standards and encryption
There are a number of different standards for setting up VPN networks, including IPSec, SSL/TLS and PPTP that vary in terms of complexity, the level of security they provide, and which operating systems they are available for. Naturally, there are also many different implementations of each standard within software that have various other features.

 

While PPTP is known to use weaker encryption than either IPSec or SSL/TLS, it may still be useful for bypassing Internet blocking, and the client software is conveniently built into most versions of Microsoft Windows. SSL/TLS-based VPN systems are relatively simple to configure, and provide a solid level of security. IPSec runs at the Internet level, responsible for packet transfer in the Internet architecture, while the others run at the Application level. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols, but also difficult to set up.

Set up your own VPN service
As an alternative to paying for commercial VPN services, users with contacts in unrestricted locations may have these contacts download and install software that sets up a private VPN service. This requires a much higher level of technical knowledge, but it will be free. Also the private nature of such a setup means it is less likely to be blocked than a commercial service that has been available for a long time. One of the most widely used free and open source programs available for setting up this kind of private VPN is OpenVPN (, which can be installed on Linux, MacOS, Windows and many other operating systems.

Advantages A VPN provides encrypted transfer of your data, so it is one of the safest ways to bypass Internet censorship. Once configured, it is easy and transparent to use. VPNs are best suited for technically capable users who require secure circumvention services for more than just web traffic and who access the Internet from their own computer where they can install additional software. VPNs are an excellent resource for users in censored locations who do not have trusted contacts in non-filtered locations. VPN technology is a common business application that is not likely to be blocked.

Disadvantages and Risks Some commercial VPNs (especially the free ones) are publicly known and may be filtered. They normally cannot be used in public access locations where users cannot install software, such as Internet cafes or libraries. Use of VPNs may require a higher level of technical expertise than other circumvention methods. A network operator can detect that a VPN is being used and determine who the VPN provider is. The network operator should not be able to view the communications sent over the VPN unless the VPN is set up incorrectly. The VPN operator (much like a proxy operator) can see what you're doing unless you use some additional encryption for your communications, like HTTPS for Web traffic; without additional encryption, you have to trust the VPN or tunnel operator not to abuse this access.

OpenVPN is a well-respected, free, open source Virtual Private Network (VPN) solution. It works on most versions of Windows (Windows Vista support is expected soon), Mac OS X and Linux. OpenVPN is SSL-based, which means it uses the same type of encryption that is used when visiting secure Web sites where the URL starts with https. General Information Supported operating system

Localization Web site Support

English, German, Italian, French and Spanish Forum:

OpenVPN is not suitable for temporary use in Internet cafe or elsewhere on shared computers where you can't install additional software.

In an OpenVPN system, there is one computer set up as a server (in an unrestricted location), and one or more clients. The server must be set up to be accessible from the Internet, not blocked by a firewall and with a publicly routable IP address (in some places, the person establishing the server may have to request this from their ISP). Each client connects to the server and creates a VPN tunnel through which traffic from the client can pass. There are commercial OpenVPN providers such as WiTopia: where you can purchase access to an OpenVPN server for a fee of about 5-10 US dollars a month. These providers will also help you install and configure OpenVPN on your computer. A list of such commercial providers is available at OpenVPN also can be used by a trusted contact in an unfiltered location, providing an OpenVPN server to one or more clients and passing their traffic to his/her computer before continuing on to the Internet. Setting this up correctly is somewhat complicated, however. Despite the open character of the product it is currently not very well supported by mobile phones. Also the configuration of this protocol under Windows en MacOSX requires additional software, while PPTP and L2TP/IPSec are both available by default. Note: there is portable version of OpenVPN here:

Tips for setting up OpenVPN
To setup your own OpenVPN server and client, follow the documentation provided by OpenVPN ( If you want to use OpenVPN to visit blocked Web sites, the following notes are important: Client There is a graphical user interface (GUI) available for Windows which will make it easy to start and stop OpenVPN as required, and also enables you to configure OpenVPN to use an HTTP proxy to get onto the Internet. To download the GUI go to To configure OpenVPN to use a proxy server in Linux or Mac OS X, read the relevant section on the Web site (


When choosing between routing and bridging, there is no additional advantage in configuring bridging when your clients just want to use it to bypass Internet censorship. Choose routing. Pay special attention to the section of the guide that explains how to ensure that all traffic from the client is passed through the server. Without this configuration the system will not help you to visit blocked Web pages ( If the client computer is behind a very restrictive firewall, and the default OpenVPN port is blocked, it is possible to change the port that OpenVPN uses. One option is to use port 443, which is normally used for secure websites (HTTPS), and to switch to TCP protocol instead of UDP. In this configuration, it is difficult for firewall operators to differentiate between OpenVPN traffic and normal secure Web traffic. To do this, near the top of the configuration files on both the client and server, replace "proto udp" with "proto tcp" and "port 1194" with "port 443".

Advantages and risks
Once it is set up and configured correctly, OpenVPN can provide an effective way to bypass Internet filters. Since all traffic is encrypted between the client and the server, and can pass through a single port, it is very difficult to distinguish from any other secure Web traffic, such as data going to an online shopping site or other encrypted services. OpenVPN can be used for all Internet traffic, including Web traffic, e-mail, instant messaging and VoIP. OpenVPN also provides a degree of protection against surveillance, as long as you can trust the owner of the OpenVPN server, and you have followed the instructions in the OpenVPN documentation on how to handle the certificates and keys used. Remember that traffic is only encrypted as far as the OpenVPN server, after which it passes unencrypted onto the Internet. The primary disadvantage of OpenVPN is the difficulty of installation and configuration. It also requires access to a server in an unrestricted location. OpenVPN also does not reliably provide anonymity.

An internet connection with personal VPN

With a personal VPN, your traffic is encrypted on your computer, passes through your ISP and on to the VPN Server. Because the data is encrypted, your ISP has no knowledge of what is in your data that they relay on to the VPN Server. Once your data reaches the VPN Server, it is decrypted and forwarded on to its final destination. With the personal VPN, if your data is not using a secure connection then it is still vulnerable from the point it leaves the VPN Server. However, by routing your data through the VPN server, you have achieved two important advantages:
 

Your data is protected from blocking, tracking, or man-in-the-middle attacks conducted by your ISP or network operators in your local country. Your data now appears to use the IP address of the VPN server, and not your real IP address. Most websites gather and retain extensive data base on this IP address, which has now been anonymized.

Personal Riseup VPN anonymizes your connection

Because your traffic appears to originate from the VPN Server, the recipient of your network communication does not know where you actually reside (unless, of course, you tell them). In the case illustrated above, the website in California thinks that the laptop in Brazil, the laptop in Europe, and the giant cell phone floating over Canada are all coming from New York, because that is where the VPN server is.

Limitations of using a personal VPN
 

 

If you live in a non-democratic state or country, it may be illegal to use a personal VPN to access the internet. Using a VPN on your mobile device will secure your data connection, but the telephone company will still know your location by recording which towers your device communicates with. A VPN helps secure your information while in transit on the internet, but it does not secure your information while in storage on your computer or on a remote server. Once data is securely routed through the RiseupVPN servers, it goes out to the internet as it normally would. Therefore, you should still use secure connections whenever possible.

Getting and testing a VPN account
In all the VPN systems, there is one computer set up as a server (in an unrestricted location), where one or more clients connect to. The set up of the server is out of the scope of this manual and the set up of this system is in general covered by your company or VPN provider. This server is one of the two ends of the tunnel. It is that important the company running this server

can be trusted and is located in an area you trust. So to run a VPN, an account is needed at such a trusted server. Please keep in mind that an account can often only be used on one device concurrently. If you want to login on a VPN with both your mobile and laptop, it is very well possible you need two accounts. An account from your company A lot of companies are running local VPN servers. It is very well possible you can get an account there easily. Check with your system administrator if this is possible and ask for the technical possibilities. An account from a free or commercial VPN-provider If you don't have the possibility to get an account from your company, you can register for an account on the Internet, there are dozens of providers. Although some companies offer free accounts, they seem to be disappearing fast. For a stable account it seems the best to go for a paid option. For a few euro's a month it is possible to get an account. Always choose for a provider that offers a standard protocol like L2TP/IPsec, PPTP or OpenVPN. Explanation of the differences between these standards is up next. A (semi up-to-date) overview of free en commercial providers can be found at's wiki (

More about VPN standard
PPTP PPTP is one of the older VPN technologies. While PPTP is known to use weaker encryption than either L2TP/IPSec or OpenVPN, it may still be useful for bypassing Internet blocking and give some level of encryption. The client software is conveniently built into most versions of Microsoft Windows, Apple, Linux computers and even mobile phones. It is very easy to setup.

L2TP / IPSec L2TP (in combination with IPSec) is a very well-known VPN solution. A lot of devices support these VPN connections out of the box. This includes all mainstream Operating Systems like Windows, MacOSX and Linux, but also support is standard in both Android and iPhone phones. Unfortunately to set-up a good L2TP/IPSec server is complicated. Because the wide-spread implementations of the (complex) protocol, there are some differences between disparate versions. Therefore, the protocol is not always working flawless, so check if it works. If it is running, this is one of the best and safest options.

Testing before and after account set up If you decide to set up a VPN, it is important to check if it is working at all. The best way to do that is to check before and after the set up. Before setting up the connection, the "world" will see you from the location where you really are. This can be simply checked on: / (Make sure you spell this correctly) Although this page is a little commercial, it does do a nice job in displaying your external IP address and the location where you are. Please note, this location is not necessarily your exact location, but in most cases at least the country should be correct. After you have set up your connection, you can visit this page again. Then it should display a different location: the location where your VPN-provider is located.

1. Before setting up a VPN, this site returns that you are for example in china which is correct 2. After have set up the VPN, the site tells us that we moved to the USA (California), which is correct: that is where our VPN-provider is located. People in Berlin won't be able to sniff our connection

Riseup VPN
What is the RiseupVPN? Virtual Private Network (VPN) is used typically used to connect remote workers to the main office network. The RiseupVPN is different: it sends all your internet traffic through an encrypted connection to, where it then goes out onto the public internet. This type of VPN is sometimes called a “Personal VPN”. The goal with a personal VPN is not to securely connect you with a private network, but to securely connect you to the internet as a whole.

Why would you want to use the RiseupVPN? it is important for everyone to use some technology like VPN or Tor to encrypt their internet traffic. Why? Because the internet is being broken by governments, internet service providers (ISPs), and corporations.

Broken by governments Around the world, governments are using the internet for social control, through both surveillance and censorship. While many people are familiar with the censorship of the internet by governments in China and Iran, you may not realize that the US practices active surveillance of internet users’ relationships (social network mapping) and the European Union countries require all ISPs and website operators to record and retain personal data on your behavior. With three-strikes laws, many countries now deny citizens access to the internet if accused of file sharing. Some countries forbid the use of new communication technologies, like Skype.

Broken by ISPs Internet service providers are breaking the internet too. They happily cooperate with government repression, they practice intrusive monitoring of your traffic through deep packet inspection, they track your DNS usage, and they get people thrown in jail, expelled from school, or banned from the internet, merely from the accusation of copyright infringement. Also, ISPs typically limit you to one internet address. If you want to share your internet connection with multiple devices, you must put all the devices on a local network. This works OK if you just want to browse the web, but makes life difficult if you want to take advantage of many applications.

Broken by corporations Corporations have discovered how to make money from the internet: surveillance. By tracking your online habits, advertising companies build detailed profiles of your individual behavior in order to better sell you useless crap. Every single major internet ad company now uses behavioral tracking. Also, to comply with national copyright, many companies only make their services available to some internet users, those who reside in the ‘right’ country.

First solution: VPN Fix your internet by using Riseup VPN
There are many ways that RiseupVPN can help: 1. Protect against ISP surveillance: RiseupVPN eliminates the ability of your ISP to monitor your communication. They have no meaningful records which can be used against you, either by marketers or the state. 2. Protect against corporate surveillance: Most commercial websites use multiple ad networks and traffic analysis services that track your behavior as you browse the web. These companies build detailed profiles of your behavior. The RiseupVPN blocks most of these tracking companies (however, we don’t block Facebook). For more information, search and see topic VPN Filtering . 3. Bypass government censorship: RiseupVPN can entirely bypass all government censorship, so long as you still have access to the internet. Note, however, that careful analysis of your traffic could reveal that you are using a VPN, which may or may not be legal in your jurisdiction. 4. Actually be on the internet: Rather than share a single public IP with many devices, RiseupVPN allows each device to have its own public internet address (even if it is behind a firewall). This allows many applications to work much more effectively. 5. Use peer-to-peer technology: p2p technology has many important and decentralized uses, such as secure backups, guaranteeing public access to information, internet chat, affordable content delivery, etc. Despite this, some ISPs hinder p2p traffic. At some universities, simply using p2p is enough to get your internet cut off. The RiseupVPN bypasses these restrictions and, because you get your own IP, makes p2p applications work much better. 6. Access the entire internet, regardless of where you live: RiseupVPN allows you to pretend to live in any country where we have a VPN server. This gives you access to restricted content only available in those countries. RiseupVPN also allows you to use services that may be blocked in your country, like Skype. 7. Break free from a corporate firewall: So you work for an evil corporation and you try to waste as much time as possible surfing the web? Unfortunately, the corporate firewall probably prevents you from visiting many websites:

RiseupVPN will let you entirely bypass these restrictions and gives you access to the whole web. 8. Secure your Wi-Fi connection: Any time you use a public Wi-Fi connection, everyone else using that access point can spy on your traffic. RiseupVPN will prevent this.

Limitations of using RiseupVPN
The RiseupVPN shares some limitations common to all personal VPNs:

An insecure connection is still insecure: Although RiseupVPN will anonymize your location and protect you from surveillance from your ISP, once your data is securely routed through it will go out on the internet as it normally would. This means you should still use TLS when available (i.e. https over http, imaps over imap, etc). VPNs are not a panacea: although VPNs accomplish a lot, they can’t fix everything. For example, it cannot increase your security if your computer is already compromised with viruses or spyware. If you give personal information to a website, there is little that a VPN can do to maintain your anonymity with that website or its partners. For more information, search VPN anonymity. The internet might get slower: the RiseupVPN routes all your traffic through an encrypted connection to before it goes out onto the normal internet. This extra step can slow things down. To minimize the slowdown, try to choose a VPN server close to where you actually live. VPNs can be difficult to configure: Although we have taken steps to make it as easy as possible, any VPN introduces extra complexity to your networking setup.

Special features of the RiseupVPN
The RiseupVPN is different than most personal VPNs in a few ways: No logs We do not keep logs, other than a record of the day a user connects. Specifically, we don’t log any IP addresses and we never log DNS queries. Block trackers and advertisers The RiseupVPN blocks all the known third-party advertising and behavior tracking companies. This protects you from most, although not all, the attempts by corporations to track your behavior as you use the internet. For more information, Google VPN filtering. Public IP address When you connect to the RiseupVPN, your computer will get its own public internet IP address, even if your computer normally only has a non-public IP address like Every time you connect, you will get a different randomly assigned public IP (if we temporarily run out of available public IPs, then you will get a shared IP instead). This makes running certain applications much easier or faster. Donation-based In order to ensure that people who need access are able to get it, the RiseupVPN service is paid for by voluntary donations. Using the RiseupVPN based on special VPN donation so if you help that is the same as your help to freedom. Easy to use You simply login using your existing account. For added security, you can use a special VPN secret in place of your normal password. Also, you can connect to the RiseupVPN using a variety of ports and protocols, making it easier to get through firewalls.

How to run the Riseup VPN
A word of caution Note! When you connect to the internet through the RiseupVPN you are bypassing any firewalls on your local network. Your computer will get its own IP address on the open internet. This is great, because that way your computer can communicate freely with others without getting blocked. However, bypassing the local firewall also means that your computer is more vulnerable to attack. Therefore, you should enable a firewall on your computer.

Choose OpenVPN or PPTP
There are two options for connecting to the Riseup VPN: OpenVPN or PPTP. OpenVPN Security Speed Flexibility Installation PPTP

High: OpenVPN creates a very secure Medium: Although commonly used, PPTP connection. has multiple security vulnerabilities. Fast: OpenVPN is speedy. Slower: PPTP can be less efficient than OpenVPN.

High: Many options allow you to get Low: Often blocked by ISPs and firewalls, through firewalls. sometimes unintentionally. More Difficult: Requires a custom client, which can be tricky to install Easier: Easier to set up because support is built into your operating system

Choose a VPN Server
Choose one of these when specifying a “gateway” or “vpn server”: VPN Server Location Western US Eastern US

Setting up OpenVPN

OpenVPN is the recommended method because it is faster and more secure. Also, some ISPs, corporate offices, or public Wi-Fi networks will attempt to block access to a VPN. If you are on a network one of these networks, your best bet is probably OpenVPN: it is very difficult to block. In a nutshell Although each client is different, there are five values that must be configured in your OpenVPN client:
  

VPN Server: or Authentication method: password VPN username: your login (ie if your account is, just enter “joe_hill”)

Password: either your password or a VPN Secret

What is a VPN Secret? A VPN Secret is a special password that can be used in place of your regular password to access the RiseupVPN. In the case of PPTP connections to the RiseupVPN, the use of a VPN Secret is required. Using a VPN Secret is often better than using your regular password because many VPN clients do not store the password securely. Also, the VPN Secret is very long, which helps to improve the security of PPTP connections.

What happens if an attacker learns my VPN Secret? If you are using PPTP, then your VPN Secret is sensitive information. It can be used to decrypt your traffic. You should generate a new VPN Secret immediate. Also, if an attacker recorded a history of your prior traffic, they might be able to decrypt it. If you are using OpenVPN, then the VPN Secret is not so important. If an attacker learns your VPN Secret, the worse they can do is use the RiseupVPN using your account. It is still a good

idea to generate a new VPN Secret when you can, but you don’t need to worry about your data being compromised.

How do I generate a VPN Secret? 1. Login to ( ) 2. Click VPN on the left sidebar 3. Click New VPN Secret

CA Certificate: RiseupCA.pem:

Riseup Certificate Authority
What is a Certificate Authority? On the internet, a certificate: is needed in order to verify the identity of people or computers, and to establish secure connections to services to keep people from listening in your connection. All services require secure connections and thus use certificates to verify the identity of the server. For a certificate to be considered valid, it must be blessed by a private corporation who acts as a Certificate Authority: . This centralized authority model has troubling social and political ramifications, especially when we rely on it for security. Some day, we hope that alternative, non-heriarchical models: will replace this flawed system. Until then, Riseup has purchased certificates from a commercial certificate authority that is recognized by your web browser, mail client, or chat client. These certificates will work seamlessly without any further action on your part. However, some services, like the RiseupVPN, use certificates that are blessed by our own certificate authority. Here is the guide for people who need to download and install this Riseup Certificate Authority.

Download the Riseup CA certificate
Every CA (certificate authority) has a file that is distributed publicly. This file, called a “CA certificate”, is used by your local program to confirm the identity of servers you connect with.

Download the Riseup CA certificate:

click RiseupCA.pem and download latest version from here :

-----BEGIN CERTIFICATE----MIID7jCCAtigAwIBAgIETSIVlzALBgkqhkiG9w0BAQUwgYYxCzAJBgNVBAYTAlVT MRgwFgYDVQQKEw9SaXNldXAgTmV0d29ya3MxEDAOBgNVBAcTB1NlYXR0bGUxCzAJ BgNVBAgTAldBMRgwFgYDVQQDEw9SaXNldXAgTmV0d29ya3MxJDAiBgkqhkiG9w0B CQEWFWNvbGxlY3RpdmVAcmlzZXVwLm5ldDAeFw0xMTAxMDMxODI5NDRaFw0xNjAx MDIxODI5NTBaMIGGMQswCQYDVQQGEwJVUzEYMBYGA1UEChMPUmlzZXVwIE5ldHdv cmtzMRAwDgYDVQQHEwdTZWF0dGxlMQswCQYDVQQIEwJXQTEYMBYGA1UEAxMPUmlz ZXVwIE5ldHdvcmtzMSQwIgYJKoZIhvcNAQkBFhVjb2xsZWN0aXZlQHJpc2V1cC5u ZXQwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIBCgKCAQEA2Jq5MZIMdoT7DgSEHwQL 8ipMVIqcgu5m8hUJberGcJ0GOQykfjvVRBEUxTf+2+5AbGcBFNs0GWjE2W3cuyGA i2uO03TNRouhgsMAkoZ/YVEgc5iqZZl0Q+Z0hWNXPGx3dVkl6GPiFSXBfyGG0SIm xG9LATC6fMRsE4GAj2y2/37N990NaFuIRwyN0pGBnsrU61a+jLIW9Zi5mGO+1rnz rvSzqUzXmSNnKU5DH7lQxvEZv/bkgvj9e94c+wbE/ayFnUniKFdHKEjklaA2JF84 9b4A4ZnsizzwNoeE3hM2GDsXl3x8Ak54T7X/FoQTgm0uaBz2wbal1dBIYE3KTEke HwIDAQABo2gwZjASBgNVHRMBAf8ECDAGAQH/AgEAMCAGA1UdEQQZMBeBFWNvbGxl Y3RpdmVAcmlzZXVwLm5ldDAPBgNVHQ8BAf8EBQMDBwQAMB0GA1UdDgQWBBSIOxzT wX8e8pgq9yhtLDRFXFBNFzALBgkqhkiG9w0BAQUDggEBAJo/uARhRc+47slseZKe MNXwo36nFnEd7n0TYMLU4x7bJJGzsQ20bcv7GqFQs+agy29Kp9fICPDRFgTnIHM+ n9awoLOWd//cr7rvjyuihJqdmjFCUGHwKOR73eyWaJQ1PgoBauvXD0fQeYXYagyf nSjluAr4haFYLw/+cW/btXngGAMlK1o+3EQy38yxf37aXXoYVdh2r4VQb7PVjgSk iw4+r/aUad39FoqVDS23KYoUHwYvXX2f1tmTbMaAst4mmN/1GQ3lHxiJ/Ytq+cb4 CxS8xBr7v6RLC1FeD6W1uqH5JElU04/IMnXw+TTxyofWRhwirDCThNfpiteZMtEv FcM= -----END CERTIFICATE-----

alternately, run this on the command line:

$ curl -L -o RiseupCA.pem All the possible OpenVPN clients require this file. Highlight certificate above is related to end of 2011 but may still works and you can copy it in a notepad file.

Verify the Riseup CA certificate (optional) This verification process is not required in order to use the Riseup CA certificate. However, without verification, you cannot be certain you have downloaded the correct certificate, and you cannot be certain that your connections are secure. Be warned: this verification process is difficult, requires an understanding of OpenPGP, and ultimately depends on knowing someone who has trusted’s public OpenPGP key. In brief, the steps are: 1. download the RiseupCA.pem file from here : 2. import Riseup’s public PGP key 3. Verify that the instructions on this page have been signed by Riseup’s PGP key. 4. calculate the fingerprint of RiseupCA.pem 5. Compare the fingerprint you calculated with the fingerprint listed, and signed, on this page.

Import Riseup’s public PGP key On the command line: $ gpg --keyserver --recv-key 139A768E There is no particular reason that you should trust this key. You can see who has trusted it: $ gpg --list-sigs 139A768E

Verify these instructions Now that you have imported Riseup’s public key, you can verify that the fingerprints listed on this page are really from

Copy this text:
-----BEGIN PGP SIGNED MESSAGE----Hash: SHA512 RiseupCA.pem SHA1 Sum: d6b93ab1d0898f845c725550eebe51f281d44096

-----BEGIN PGP SIGNATURE----Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBCgAGBQJNMyZmAAoJEDBD4rcTmnaOVdYP/1kZv0AvZ5Q1c5hGy3jo5oat 008XOERZ0FgEAjtADM1t2u8NaiWooJ4AQPR0vNNgfVoHI5yBJHb/TZuDRiTL6K0Q Q2Bwu50t2vUO8+yF+S1uEgpKXGTVtWmZwjvsmPDiafFCXtvrDZ1yySvHwgLdzIA+ GxM0f+F7Q9qCRe6k3tqKB+DFhalz4Yp/FAtHM+vg9ZBcDlWYh5+l0V4BK+VVn2c0 UjXrEyik4MeAeJsHw7f3vENUqxDW1eQXrfrtdwcaja4WXL9BxKZJVtaLNGK4QsnD 7XaP1GzsBkuCaK8y01nd5HD8rHL+WzAKqG/ggnTEe9JxtaxLw0xnFW+2vs5ZRsdD 0tb/ShiHKkBYGR8Qs3VcBLnkSxJqfSYVftOCdkgr2JIrAJT4YaZu51tLNSY9nE6V aYNKHvQGsWNWSkeYaMQMjU8pXzsuvMY58hju3IbGtl+pHYYLppJX0DFZAxEH1eFo jPHNM14jDdg3usipa5YgTJ1YRqIKbn3GuBmPFdIRj/xEKYdmgvByL2/S7zxfVLK3 JE7QnirN1WY/Ixu7SUpxGmzjG0BqQ0qLhG2JFsPt2cWlYy7cZuS/vIrGgX1SDQC9 qlm8huQIZ3pHTSPq7qv6cAvI/JbqYDucqLPNIPx0fB98uJ7Eu1EnYo+V0F9ZZLYU FksVQEBNWJjdflsR0HyN =M6xp -----END PGP SIGNATURE-----

1. Then run this command:
gpg --verify

2. Paste the text you copied 3. Type control-d 4. You should get output that says:
gpg: Good signature from "Riseup Networks <>"

You should make sure that it says “Good signature” in the output! If this text has been altered, then this information should not be trusted. Unless you have taken explicit steps to build a trust path to the Riseup Collective key, you will see a warning message similar to: gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. However, you still should see the “Good signature”. Calculate the fingerprint of RiseupCA.pem Open a terminal and use sha1sum: $ sha1sum RiseupCA.pem

Compare the fingerprints Now that you have calculated the fingerprint or sha1sum of RiseupCA.pem, you can compare this value to the value signed by Riseup. If the values match, and you trust the Riseup public PGP key, then you can be confident you are really communicating with servers when using an application that uses RiseupCA.pem.

Optional configuration options:

 

Port: either 1194, 443, or 80. Port 1194 is the normal default for OpenVPN, but sometimes it might be blocked by the network you are on. You should not normally need to change this setting. If you do, ports 443 and 80 will likely not be blocked, since these are the ports for normal web traffic. Protocol: either UDP or TCP. UDP is faster, but TCP might be required to get around some network restrictions. UDP is the default, so you only need to fiddle with this if something is blocking your VPN access. Compression: I haven’t played with this, but it should work. MTU: might need to make this a smaller number. Not sure...

Note: if you later move the location of the RiseupCA.pem file, then the VPN will break until you specify the new location. For more information on the RiseupCA.pem file, and how to verify it, see Riseup Certificate Authority. After you have saved the configuration, you can click on the network manager applet and apply it. If it worked, you should see a lock in the corner of the applet. When you connect to the VPN for the first time, you may get a dialog box asking you about allowing access to a keyring that is OK. The keyring will keep your VPN password stored in an encrypted format.

VPN on Ubuntu
For Ubuntu there is an excellent network utility: Network Manager. This is the same utility you use to set up your Wireless (or wired) network and is normally in the upper right corner of your screen (next to the clock). This tool is also capable of managing your VPNs, but before it can do so, it's necessary to install some extensions. To install the plugins for Network Manager we will use the Ubuntu Software Center. Open the Ubuntu Software Center from the Applications menu located at the top left of your screen

The Ubuntu Software Center enables you to search, install and remove software on your computer. Click on the search box at the top right of the window.

In the search box, type in "network-manager-openvpn-gnome" (which is the extension that will enable OpenVPN) and/or "network-manager-pptp-gnome" (which is the extension for PPTP). It's necessary to type the full names because the packages are classified as "technical" and don't popup earlier. These packages include all the files you need to establish a VPN connection successfully. You can decide to install both extensions or only the one you need

Ubuntu may ask you for additional permissions to install the program. If that is the case, type in your password and click Authenticate. Once the package is installed, you can close the Software Center window.

To check if the extensions are correctly installed, click on the NetworkManager (the icon at the left of your system clock) and select VPN Connections > Configure VPN.

Click Add under the VPN tab.

If you see a pop-up asking for the type of VPN and the tunnel technology (OpenVPN or PPTP) option is available, this means that you have installed the VPN extension in Ubuntu correctly. If you have your VPN login information ready, you can continue right away, else you first have to get a VPN account from a VPN-provider. If this is the case, click cancel to close the Network Manager. It is up to you to select PPTP or VPN.

Registering an AirVPN account
AirVPN ( is a free service, but you will need to register at their Web site to download the configuration files for your VPN connection. 1. Go to and register for a free account. Make sure you pick a strong password, as this will also be the password for your VPN access. (For tips on strong passwords, see the chapter on "Threats and Threat Assessment" in this book.) 2. On AirVPN's site navigation menu, select More > Access with... > Linux/Ubuntu.

3. Click on "Access without our client". You will be prompted for the same username and password you used when you registered.

4. Select the VPN Mode you would like to configure in NetworkManager (for our example we used "Free - TCP - 53") and leave the rest of the options as they are. Make sure you have checked the Terms of Service agreement at the bottom of the page, and then click Generate.

5. A pop-up window will let you know that the file is ready for downloading. This contains the configuration files and credentials you need to connect to the VPN. Click OK.

Configuring AirVPN on NetworkManager
Before getting started, please be sure you've read the paragraph "testing before and after account set up", this way you will be able to validate if your connection is actually working after set up. You can configure NetworkManager to connect to the AirVPN service. Let's assume you received your configuration files and credentials from your VPN provider. This information should contain the following
   

an *.ovpn file, ex. air.ovpn The file: ca.crt (this file is specific for every OpenVPN provider) The file: user.crt (this file is your personal certificate, used for encryption of data) The file: user.key (this file contains your private key. It should be protected in a good manner. Loosing this file will make your connection insecure)

In most cases your provider will send these files to you in a zip file. Unzip the file you have downloaded to a folder on your hard drive (e.g.: "/home/[yourusername]/.vpn"). You should now have four files. The file "air.ovpn" is the configuration file that you need to import into NetworkManager.

To import the configuration file, open NetworkManager and go to VPN Connections > Configure VPN and Under the VPN tab, click Import.

Locate the file air.ovpn that you have just unzipped. Click Open.

A new window will open. Leave everything as it is and click Apply.

Congratulations! Your VPN connection is ready to be used and should appear on the list of connections under the VPN tab. You can now close NetworkManager.

Using your new VPN connection Now that you configured NetworkManager to connect to a VPN service using the OpenVPN client, you can use your new VPN connection to circumvent Internet censorship. To get started, follow these steps: In the NetworkManager menu, select your new connection from VPN Connections.

Wait for the VPN connection to be established. When connected, a small padlock should appear right next to your NetworkManager icon, indicating that you are now using a secure connection. Move your cursor over the icon to confirm that the VPN connection is active.

You can also check the status of your connection by visiting This free IP-checker should confirm that you are using a server.

To disconnect from your VPN, select VPN Connections > Disconnect VPN in the NetworkManager menu. You are now using your normal (filtered) connection again.

OpenVPN on GNU/Linux

Gnome Installation Configuration VPN Servers VPNAutoconnect Troubleshooting Command Line o Testing via the command line o Automatically update resolv.conf
o o o o o

Installation To install the necessary software, open a terminal (Accessories > Terminal) and type these commands: For Ubuntu sudo apt-get install network-manager-openvpn-gnome sudo service network-manager restart For Debian sudo apt-get install network-manager-openvpn-gnome sudo /etc/init.d/network-manager restart

1. Click on the network manager applet. This is a little icon in Gnome Panel that shows the status of the current network connection. 2. Select VPN Connections > Configure VPN… menu item 3. Click Add button 4. Choose OpenVPN if you get a choice of vpn type. Then click Create… 5. Use these settings: o Gateway: (pick from the list below) o Type: password o Username: your username. o Password: your password or VPN Secret (VPN Secret is preferred). o CA Certificate: download RiseupCA.pem as mentioned before. o Available to all users: NO! Leave this unchecked.

VPN Servers
For Gateway choose one of the following: VPN Server Location Western US Eastern US

There is a longstanding bug in Network Manager that prevents the VPN from connecting when you login or reconnecting if the VPN connect gets dropped. In order to fix this problem, we suggest you install VPNAutoconnect (Get it from here ). If you are running Debian or Ubuntu, download and open the appropriate .deb file (i386 is for when you have installed a 32-bit system, and amd64 is for when you have installed a 64-bit system). Alternately, if you are running Ubuntu, you can add the VPNAutoconnect repository: sudo apt-add-repository ppa:barraudmanuel/vpnautoconnect sudo apt-get install vpnautoconnect

Once installed, the VPNAutoconnect icon should appear in your task bar. It looks like this:

Right click on that icon and select preferences. Make sure that Follow Parent and reconnect is checked, if you want the VPN to start automatically. Next, click on the little top tab with an arrow on it:

You will get a form to add a VPN profile that should autoconnect:

 

for Parent Connection, most people will choose ‘eth0’ For VPN connection; choose the VPN profile you just added in Network Manager.

Click Save and you are done. Note that if you are using OpenVPN and your home directory is encrypted, the connection will not automatically start up when you login if the Certificate Authority file is stored in your home directory.

Troubleshooting If OpenVPN is not working, run this to see what is wrong: tail -f /var/log/syslog | grep -i vpn

Command Line If you don’t want to use a graphical interface, you can run OpenVPN from the command line. > sudo openvpn riseup.ovpn Here is a minimal riseup.ovpn configuration file: client dev tun auth-user-pass ~/vpn/auth.txt remote 1194 ca ~/vpn/RiseupCA.pem remote-cert-tls server script-security 1 user nobody group nobody

Where auth.txt is a file with two lines, the first is your login name, the second is a VPN Secret. In order for OpenVPN to create the tun device it must be started as user root. However, it will change to the user and group you specify. For user and group options, you can replace with your username or make auth.txt and RiseupCA.pem readable by nobody. Alternately, you can leave off those options to run OpenVPN as root. For more information see

Testing via the command line
Even if you use Network Manager to access the RiseupVPN, it can still be useful to troubleshoot problems by testing the connection via the command line. For example:
sudo openvpn --client --dev tun --auth-user-pass --remote 1194 --ca RiseupCA.pem

Again, see: for more options.

Automatically update resolv.conf
When running OpenVPN from the command line, it will not modify your DNS settings. You really want to use the DNS of the VPN, because then your DNS queries take place over an encrypted connection and they are not logged. The following custom script can be used to make openvpn automatically update the DNS correctly. The values for DNS that the VPN server specifies are stored in environment variables, so this custom script will grab these variables and use them to set your DNS. Requirements: 1. apt-get install resolvconf 2. in your riseup.ovpn configuration, make these changes script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf The script /etc/openvpn/update-resolve-conf: #!/bin/bash # # Parses DHCP options from OpenVPN to update resolv.conf. # To use set as 'up' and 'down' script in your openvpn config: # up /etc/openvpn/update-resolv-conf # down /etc/openvpn/update-resolv-conf # # credit: # * Thomas Hood <> # * Chris Hanson # * # # Licensed under the GNU GPL # [ -x /sbin/resolvconf ] || exit 0 case $script_type in up) for optionname in ${!foreign_option_*} ; do option="${!optionname}" echo $option part1=$(echo "$option" | cut -d " " -f 1) if [ "$part1" == "dhcp-option" ] ; then part2=$(echo "$option" | cut -d " " -f 2)

part3=$(echo "$option" | cut -d " " -f 3) if [ "$part2" == "DNS" ] ; then IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3" fi if [ "$part2" == "DOMAIN" ] ; then IF_DNS_SEARCH="$part3" fi fi done R="" if [ "$IF_DNS_SEARCH" ] ; then R="${R}search $IF_DNS_SEARCH" fi for NS in $IF_DNS_NAMESERVERS ; do R="${R}nameserver $NS" done echo -n "$R" | /sbin/resolvconf -a "${dev}.inet" ;; down) /sbin/resolvconf -d "${dev}.inet" ;; esac

VPN on Android phones
Setting up VPN with L2TP or PPTP is very simple in Android, although there are some ceaveats. Before starting, you need server and login information from your VPN provider. Normally you need at least these items:
  

username password vpn servername, eg.

 

pre-shared-key (PSK), this is general password. Most providers will use a certificate instead type of the VPN service, PPTP or L2TP/Ipsec

In this example we explain L2TP with a Pre-Shared-Key (PSK). This is one of the most complicated versions. All other configurations are less complicated. If you go to with a browser, you will see your current external IP address, and the location where this IP is registered. This address should be check again to confirm your secure connection after using VPN. To setup your VPN, open the android menu and choose 'Settings'. In the settings menu choose 'Wireless & networks'

Scroll down a bit, here you will found a VPN settings option, choose this option and then on the top you will be able to choose to add a VPN.

Next you need to choose the correct type of VPN. This is a vital step as VPN types are not interchangeable. Most common types are PPTP of L2TP/IpSsec. The L2TP/IpSec can be combined with a PSK or CRT option. The first is "Pre-Shared-Key", the option common in smaller company VPN networks. The other options is used with some large networks. In this example we will use the "L2TP/IPSec PSK VPN", choose this option. Next is setting up the parameters for your network. Choose 'VPN name' to setup a name for this connection

Type a name for your connection. This can be whatever you like to identify this connection with. Confirm with OK. Next choose "VPN Server", and fill in the server name. This name is provided

when your received your connection and login information. We use the tunnel server of Greenhost in this example "". Once again confirm with "OK"

Next is the pre-shared-key. If you use a certificated based connection, this option does not exist. You should have received your pre-shared key from your VPN provider. The rest of the options are normally not used. Hit the menu & save button of your phone to confirm the settings.

After saving you will return to the VPN overview. Now just click on the newly created connection. The system will ask for your credentials, type them as you received them from your provider.

We use Bill and a password in our example. Press 'Connect' to connect. If everything goes smoothly, you will get a "connected" status after a few seconds. Notice also the new "key" icon in the top bar. Here you will see if your VPN connection is active.

Now, return to to check if is your IP address changed.

OpenVPN on Android
  

  

Requirements Installation Create configuration files o Mount your sdcard o Create the folder OpenVPN o Create the file riseup.ovpn o Create the file auth.txt o Create the file RiseupCA.pem o Unmount your sdcard Use Riseup DNS Connect! Troubleshooting

 

A rooted android device: ( ) A distribution of android with support for OpenVPN, such as Cyanogenmod (the kernel must include tun/tap modules).Get cyanogenmod compatible here :

Install OpenVPN Settings: The app can be installed either from the Market app or Or and it is Free Software. OpenVPN Settings is an android app. Its purpose is to start, stop and monitor the state of OpenVPN tunnels in a style very similar to Wi-Fi Settings app that comes with android. To have more information and keep in touch with developer see following links:
  

Create configuration files
Mount your sdcard Plug a USB cable from your android device to your computer. On the android device, there will then be an option in the notice pull-down to copy files to your computer. Select this, and then click “Turn on USB storage”. The sdcard of your device should now be accessible from your computer. Create the folder openvpn From your desktop, create a folder on the sdcard called openvpn. Create the file riseup.ovpn Inside the openvpn folder, create the file riseup.ovpn with these contents: client dev tun auth-user-pass auth.txt remote ca RiseupCA.pem If you are on a network that has filters in place, try adding one of these options to your Config:

Look like DNS traffic

port 53 proto udp

Look like TLS web traffic:

port 443 proto tcp In place of, choose one of these servers: VPN Server Location Western US Eastern US

Create the file auth.txt Inside the openvpn folder, create the file auth.txt, with these contents: <riseup username> <riseup password or VPN Secret> For example: joe_hill jqn8f6H9f0mopwqj890ajgha Rather than use your password, it is better to use a VPN secret. Get it and generate your VPN secret here: Create the file RiseupCA.pem Right click on RiseupCA.pem: and download it into the openvpn folder like mentioned before. For more information on this file, see Riseup Certificate Authority. Unmount your sdcard Once you have created these files, you must unmount the sdcard from your computer and then turn off USB storage on your android device.

Use Riseup DNS
    

open OpenVPN Settings app long click on riseup.ovpn check: Use VPN DNS Server set VPN DNS Server to Hit back button on the device.

 

open OpenVPN Settings app Click on riseup.ovpn to connect

Currently, there seems to be a bug where you might have to click twice to actually connect.

On some versions of Cyanogenmod, you may need to configure the module loading under advanced settings:
  

Load tun kernel module: checked. Load module using: insmod Path to tun module: /system/lib/modules/tun.ko

The current version of OpenVPN Settings doesn’t allow you to see the error message when OpenVPN fails. However, you can install the free software “aLogcat” and then set a filter to ‘vpn’ to see the OpenVPN errors.

Rooting Any Android Phone
Most retail devices running the Android operating system must be rooted in order to install custom versions of the Android system such as Cyanogenmod. Rooting is a process that allows users of mobile phones and other devices running the Android operating system to attain privileged control. With all the different devices out there running different versions of Android, the rooting process can be a little different for every phone. Here’s a guide that should get you up and running with root access, no matter what device you have. Rooting, for those of you that don’t know, it’s similar to running programs as administrators in Windows, or running a command with “sudo” in Linux. With a rooted phone, you can run more apps (like backup or tethering apps), as well as flash custom ROMs to your phone, which add all sorts of extra features.

For most Android Phones: The SuperOneClick Method The majority of you will be able to use SuperOneClick for Windows to root your phone. This method works on most Motorola devices, the Dell Streak, the Nexus One, the Samsung Galaxy S, and most Sony Ericsson models. However, it should work on many more. If you want to double check that SuperOneClick will work with your phone, a quick Google (e.g. SuperOneClick galaxy s) will probably reveal whether it is compatible.

What you’ll need    A Windows PC: a working Windows PC to get this working. The USB Drivers for Your Phone: You’ll have to grab these from your manufacturer’s web site. SuperOneClick: This is the Windows program that will root your phone. It’s portable, so just download it from or Google it to download latest version and unzip it somewhere safe—no installation necessary.

The Process First, find, download and install the USB drivers for your particular phone. You can generally Google for your device’s drivers, but you can just head to your manufacturer’s web site too and navigate to your device’s support page. Go ahead and install the drivers once they’re downloaded. Next, make sure your phone is in USB Debugging mode. Head to Settings > Applications > Development and check the USB Debugging box at the top. Once you’ve done all that, start up SuperOneClick. Plug in your phone (make sure NOT to mount the SD card), and hit the “Root” button to root your phone—it’s that simple. When it finishes, you’ll see a message that says “Root files have been installed!” Hit Yes if it asks you to run a test, and if everything went according to plan, it should confirm that you have root permissions. You can now close out of the app. To double check and make sure everything went well, when you open up your app drawer you should see an app called “Superuser”. If so, you’re good to go! You can now flash custom ROMs, run root-only apps, and more. Here are steps in brief: 1- Setting -> Application>enable Unknown Sources 2-Setting -> Application -> Development>enable USB Debugging 3-connect you cell phone with a USB cable to system (make sure NOT to mount the SD card)

Compatible models: Legend 1.6,Google Nexus One 2.2,HTC Hero 2.1,HTC Magic 1.5 HTC tatoo 1.6,Htc Desire 2.2,Dell Streak 2.1,Motorola Milestone 2.1,Motorola XT701 Motorola XT800 2.1,Motorola ME511,Sony Ericsson X10 1.6,Sony Ericsson X10 Mini Pro 1.6 Acer Liquid 2.1,Vibo A688 1.6 Rooting is a pre-requisite, to flash a custom ROM like CM7.1 (cyanogenmod). See

Install CyanogenMod 7.1
Stable build of CyanogenMod 7.1.0 is based on Android 2.3.7 Gingerbread and supports 28 new devices which have been named below: HTC Desire S, HTC Incredible S,HTC Incredible 2, LG Optimus 2X and T-Mobile G2x, Motorola Backflip (Motus), Motorola Cliq / Cliq XT, Motorola Defy, Motorola Droid 2, Motorola Droid X, Samsung Captivate, Samsung Fascinate, Samsung Mesmerize, Samsung Showcase, Samsung Vibrant, Samsung Galaxy S, Samsung Galaxy S2 (multiple carriers), Sony Ericsson Xperia X8, Sony Ericsson Xperia Mini, Sony Ericsson Xperia Mini Pro, Sony Ericsson Xperia Neo, Sony Ericsson Xperia Play, Sony Ericsson Xperia Ray, Sony Ericsson Xperia Arc, ZTE V9 New features including support for Bluetooth mouse, touch-to-focus in Camera app, enhanced swipe-to-clear in notifications drawer. You need to ensure a few things before going ahead and flashing the latest version of CyanogenMod.

1- Phone must be rooted (see section above) or look details below for galaxy S II: Perform a Google search: “how to root <your device name here> on <version of Android you’re using here>”. You can find out the version of Android by navigating to Settings > About after tapping the Menu key as there are hundreds of Android smartphones and tablets available in the market.

Here I explain how to root for galaxy S II : -Download Samsung Kies Free from link below or search Google for Mac: -download latest version of Odin and extract it. For more information see: and -download superoneclick (latest version) (from web) and extract it. Grab it here: or Google it to find latest version. -download compatible kernel for your device and extract it to reach .tar file. Read also : Process: Go to Odin root and run Odin.exe and be sure USB debugging is on. Turn off your phone > Volume Down,home + Power Key to go to download mode> confirm question with volume up (now green android icon in the center and red Odin mode on top)>put XWKDD_INSECURE.TAR to PDA section of Odin program> click F.Reset time, auto reboot >now start >wait for next steps and after all your device will be restart.

2- You should also have ClockworkMod Recovery installed. Download ROM Manager FREE at market link Process steps for Galaxy S II: -for mobile with WIFI: after rooting your phone device and downloading ROM manager connect to internet. Launch ROM manager > click “flash mod recovery “>select your phone >wait to continue There are many phones which come with different models which require a different version of CWM. Once again, use Google to find out which model you have. We’ve got a Samsung Galaxy S II, so we chose the appropriate option.

- Your phone will reboot after downloading and flashing CWM. If you wish to boot into CWM, you have a couple of options. Your first option is to launch ROM Manager and tap Reboot into Recovery. If this method does not work for you (it doesn’t for us on our Galaxy S II), your second option is to re To reboot into CWM manually, shut down your phone by holding the power button. Once it is shut down, you have to press an exact button combination on your phone while it is booting up. For most phones, it is Volume Down + Power Key, but it is best to look up “how to boot into clockworkmod recovery <your device name here>” on Google to ensure you’ve got the right button combination. Just so you know, our Galaxy S II unit requires Volume Up + Home + Power buttons to be pressed while booting up to get inside CWM. Boot into CWM manually.

-for phone device without WIFI: after rooting your device first download >turn off your phone> Volume Down+home + Power Key to go to download page manually >confirm question with volume up (now green android icon in the center and red Odin mode on top)>open Odin program >select GTI9100_ClockworkMod-Recovery_4.0.0.1.tar in PDA section >click F.Reset time, auto reboot >now start >wait for next steps and after all your device will be restart. 3- Be sure to have at least 200MB of free space on your phone’s internal memory or microSD card.

4- Phone should have enough battery to last through the entire processing. Running out of battery during the flashing process will brick your smartphone and restoring it to its original state can be difficult or even impossible, in certain cases. 5- Download the .zip file of CyanogenMod 7.1 for your phone from . Be sure to ensure that the file is for your device by checking your device’s codename from For Sony Ericsson Xperia X8 you can use also this link: 6- Transfer the .zip file to the root (parent directory) of your smartphone. You can, obviously, do this after connecting your phone via USB cable. 7- Once transfer is complete. Turn off your phone. 8- Using a specific combination of keys, you must now boot into ClockworkMod Recovery (CWM). This combination is different for different devices, so you’ll need to look it up on Google. 9- Using the volume up/down, home and back keys, navigate to backup and storage > backup. CWM will now take what is called a nandroid backup of your device which you can use later on if you wish to revert to current setup. 10- Once backup is complete, scroll down to mounts and storage and format /system. You must also format /data and /cache. Similarly, go back to main menu and wipe data / factory reset. 11- Now this is the step where we flash CM7.1 on our device. From the main menu: install zip from sdcard > choose zip from sdcard > (name of file you downloaded above) The flashing of CyanogenMod 7.1 shall now commence. 12- Once flashing is complete, reboot your device from the reboot system option on CWM’s main menu. If you followed the steps correctly, your phone should now boot into a freshly baked Android 2.3.7 Gingerbread-based stable build of CyanogenMod 7.1. Notice: I obviously couldn’t test the method on every device, but I did try it out our Samsung Galaxy S II and can confirm that it works absolutely fine!

Setting VPN for Mac
Setting up a VPN on MacOSX is very easy once you have your account details ready, let’s assume have your credentials from your VPN provider (such as Riseup) for L2TP/IpSec connection ready. This information should contain the following items typically, but in practice we recommend you to use Riseup gateway with your Riseup account which is based on donation. Thanks Riseup!

   

Username, ex. bill2 Password, ex. verysecretpassword VPN server, ex. A Pre-Shared-Key or Machine-certificate

1. Before getting started, please be sure of validation of your connection if it is actually working after set up. 2. A VPN is configured in the network settings, that are accessible via "System Preferences.." in the Apple menu.

Next, open the Network preferences.

OSX uses this nifty system to lock windows. To add a VPN it is necessary to unlock the screen: you can do this by clicking on the lock on the left bottom of the screen. Then enter user credentials

Now we can add a new network. Do this by clicking on the "+" sign

In the pop-up you need to specify the type of connection. In this case choose a VPN interface with L2TP over IPSec. This is the most common system. Also don't forget to give the connection a nice name.

Next comes the connection data. Please fill in the provided server name and user name (called 'Account Name'). If this is done, click on the "Authentication Settings..." button

In the new pop-up you can specify connection specific information. This is the way the user is authenticated and how the machine is authenticated. The user is very commonly authenticated by using a password, although other methods are possible. Machine authentication is often done by a Shared Secret (Pre-Shared-Key/PSK), but also quite often by using a certificate. In this case we use the Shared Secret method. When this is done click OK.

Now you return back to the network screen. The next step is very important, so click on "Advanced..."

In the new pop up you will see an option to route all traffic through the VPN connection. We want to enable this, so all our traffic is encrypted.

Well, all is done. Now hit the Connect button!

A pop-up appears. You need to confirm your changes, just hit "Apply"

After a few seconds, on the left side the connection should turn green. If so, you are connected!

Ok, now test your connection!

OpenVPN on Mac
Accessing the Riseup VPN using OpenVPN on Mac. The OpenVPN client for Mac is called “tunnelblick”.

You can download tunnelblick from Also you can download older version from here Just double click the downloaded file and drag Tunnelblick to your Applications folder. TODO: Build a pre-configured deploy version of tunnelblick, with the ca cert already included. This way, you just download and run.

Download Riseup CA
Download the RiseupCA.pem file (as explained before ) and save it to your Library folder. Note that there are two Library folders, one located at /Library and one located at /username/Library/. You can save it in either place, but be sure to remember which location you used, you’ll need it later. Also, for some reason, Mac likes to add a “.txt” extension to the Riseup certificate file. So, you may need to locate the file, select get info, then scroll down and uncheck “hide extension.” Then you should be able to change the name of the cert to “RiseupCA.pem” rather than “RiseupCA.pem.txt” For more information on the RiseupCA.pem file, see Riseup Certificate Authority section.

Open a window in Finder and, starting in your Home directory, Navigate to Library → Application Support → Tunnelblick → Configurations. Now, within the “Configurations” folder, create a plain text file, let’s call it “riseup.ovpn.” Once again, mac OS will try to add a “.txt” extension to this file. You will need to make sure to remove that extension. Put the following text into the file (replacing my-mac-username with your MacOS username):

client dev tun auth-user-pass remote 1194 ca /Users/my-mac-username/Library/RiseupCA.pem In place of, you should choose one of the following:

VPN Server

Location Western US Eastern US

After you have set this as your configuration options, you should be able to double click on tunnelblick and it will ask for your Riseup username/password and store these in your keyring. You can also connect via the tunnelblick menu in the upper right corner of the screen. Rather than use your Riseup password, we suggest you use a VPN Secret instead as it explained before. Get it from this link Once connected, if you click on the tunnelblick icon in the upper right corner of the screen, it should show “1 connection active.” You’re done!

If the connection doesn’t work, try these: 1. Where is the RiseupCA.pem file saved? Make sure you can find the file in the finder and that the path to the file is the same as specified in your configuration file. 2. Did you remember to remove the .txt extensions from the certificate file and the configuration file? The config file must end in .ovpn 3. If you are not able to use the internet when connected, your ISP may be blocking connections on port 1194. To change what port OpenVPN uses, you can change 1194 to 80 or 443 in the above configuration file. 4. By default, OpenVPN will use an internet protocol call UDP. This is faster, but sometimes you need to change this to TCP in order to get OpenVPN to work. To do so, add this to the configuration: proto tcp.

VPN on Windows
Setting up a VPN on Windows is very easy once you have your account details ready. Let's assume have your credentials from your VPN provider for L2TP/IpSec connection ready. This information should contain the following:
   

Username, ex. bill2 Password, ex. verysecretpassword VPN server, ex. A Pre-Shared-Key or Machine-certificate

1. Before getting started, please be sure you've read the paragraph "testing before and after account set up", this way you will be able to validate if your connection is actually working after set up.

2. We need to go to the "Network and Sharing Center" of Windows to create a new VPN connection. We can access this center easily by clicking on the network icon next to the system clock and click on "open Network and Sharing Center" 3. The "Network and Sharing Center" will popup. You will see some information about your current network. Click on "Connect to a network" to add a VPN connection.

4. The wizard to setup a connection will popup. Choose the option to "connect to a workplace", which is Microsoft's way of naming a VPN connection.

5. The next screen asks us if we want to use our Internet connection or an old-school phone line to connect to the VPN. Just choose the first option then.

6. The next screen asks for the connection details. Enter here the server of your VPN-provider (called "Internet address" in this dialog). On the bottom please check the box "Don't connect now; just set it up". Using this option the connection will be automatically saved and it's easier to control extra settings. If this is all done, hit the "next" button.

7. Next up are your username and password. Just give them like you received them from your VPN-provider. If the connection fails, windows forgets them. So keep them with you, you maybe need them later. If this is done. Click "create".

8. Your connection is now available; if you click the network icon again, you will see a new option in the network menu, the name of your VPN connection, just click it to connect. 9. And click "connect"

10. A VPN connection dialog appears. This give us the opportunity to review our settings and to connect. You can try to connect, Windows will try to discover all other settings automatically. Unfortunately, this does not always work, so if this is not working for you, hit the "properties" button. 11. The properties windows appear. The most important page is the "Security" page, click on the Security tab to open it.

12. In the security tab you can specify VPN type, normally L2TP/IPSec or PPTP. For L2TP/IPSec also have a look at the Advanced settings.

13. In the Advanced Settings window, you can specify if you are using a preshared key or a certificate. This depends on your VPN-provider. If you have received a pre-shared-key, Select this option and fill in this key. Hit ok afterwards. You will return to the previous window, click ok there also

14. Back in to connection window try to connect now. Please be sure your username and password are filled out.

15. A connection popup will appear

16. Online! Don't forget to check if your VPN is working properly.

OpenVPN on Windows
Accessing the Riseup VPN using OpenVPN on Windows
      

Install OpenVPN Install RiseupCA.pem Configure OpenVPN Start OpenVPN Problems Saving Passwords Using TUN instead of TAP

Although OpenVPN is generally preferred over PPTP, it is more difficult to get working on Windows. If you have trouble with this, try PPTP on Windows.

Install OpenVPN
Download the OpenVPN Windows installer from and run it. You should download the current stable release from this page and verify the signature. You want the “Windows installer.” As of this writing, the current stable version is . Portable version of OpenVPN is available here:

Install RiseupCA.pem
Grab RiseupCA.pem: and save it to C:\Program Files\OpenVPN\config\. (If you pick a different location, make sure to change the ca RiseupCA.pem line of the configuration to point to the full path). For more information on the file RiseupCA.pem, see Riseup Certificate Authority section.

Configure OpenVPN
Open Notepad (Start button → All Programs → Accessories → Notepad) and paste these configuration options: client dev tap remote auth-user-pass ca RiseupCA.pem Save the file as C:\Program Files\OpenVPN\config\RiseupVpn.ovpn and close notepad. In place of, you should choose one of the following: VPN Server Location Western US Eastern US

Start OpenVPN
Start the OpenVPN client (Start button → All Programs → OpenVPN → OpenVPN GUI). It should prompt you for your username and password.

Saving Passwords Password storage on the windows client is insecure: There is no way in the current version to save your password. Although it is possible ( ) the software with this option enabled (such as), this stores your password in clear text. Instead of using your password, you should use a VPN Secret. It is OK to store the VPN Secret in clear text.

Using TUN instead of TAP If you use dev tun instead of dev tap in the configuration file, you must run openvpn as administrator. Otherwise, it will appear to work, but none of your traffic will actually be going over the RiseupVPN. To run OpenVPN as administrator: Right click on the OpenVPN GUI application and choose properties. From there, check compatibility mode and run as administrator. The OpenVPN GUI can be found under Start button → All Programs → OpenVPN → OpenVPN GUI.

OpenVPN Troubleshooting
Fixing OpenVPN when things go wrong

Error Messages
“AUTH: Received AUTH_FAILED control message” This happens when you have the wrong password. “No VPN secrets!” This happens when the keyring is not working and returns an empty username and password.

General Tips
Example logs: openvpn: TUN/TAP device tun0 opened openvpn: /sbin/ifconfig tun0 172.27.0.X netmask mtu 1500 broadcast openvpn: /usr/lib/network-manager-openvpn/nm-openvpn-service-openvpn-helper tun0 1500 1541 172.27.0.X init openvpn: OpenVPN 2.1.3 x86_64-pc-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [MH] [PF_INET6] [eurephia] built on Mar 11 2011 openvpn: WARNING: No server certificate verification method has been enabled. See for more info. openvpn: NOTE: the current --script-security setting may allow this configuration to call userdefined scripts openvpn: UDPv4 link local: [undef] openvpn: UDPv4 link remote: [AF_INET] openvpn: [] Peer Connection Initiated with [AF_INET] openvpn: Initialization Sequence Completed

Example logs: NetworkManager: <info> Starting VPN service 'openvpn'... NetworkManager: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 5615 NetworkManager: <info> VPN service 'openvpn' appeared; activating connections NetworkManager: <info> VPN plugin state changed: 3 NetworkManager: <info> VPN connection 'openvpn' (Connect) reply received. NetworkManager: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) NetworkManager: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. NetworkManager: <info> VPN connection 'openvpn' (IP Config Get) reply received. NetworkManager: <info> VPN Gateway: NetworkManager: <info> Internal Gateway: NetworkManager: <info> Tunnel Device: tun0 NetworkManager: <info> Internal IP4 Address: 172.27.0.X NetworkManager: <info> Internal IP4 Prefix: 22 NetworkManager: <info> Internal IP4 Point-to-Point Address: NetworkManager: <info> Maximum Segment Size (MSS): 0 NetworkManager: <info> Forbid Default Route: no NetworkManager: <info> Internal IP4 DNS: NetworkManager: <info> DNS Domain: '(none)' NetworkManager: <info> VPN connection 'openvpn' (IP Config Get) complete. NetworkManager: <info> Policy set 'openvpn' (tun0) as default for IPv4 routing and DNS. NetworkManager: <info> VPN plugin state changed: 4

Starting and stopping the RiseupVPN
1. Click on the network icon in the task bar. You will see something like this:

2. If you click on RiseupVPN, you will get a button to connect or disconnect, depending on the current state. Configure the VPN to connect without prompting for your username and password. 1. Click on the network icon in the taskbar 2. Right click on RiseupVPN and select Properties.

3. Select the Options tab. You should see this:

4. uncheck Prompt for name and password 5. uncheck Include Windows logon domain 6. Click OK

Automatically start the RiseupVPN on startup
Make sure that the RiseupVPN profile is configured to connect without requiring a password. 1. Create a shortcut to the RiseupVPN network connection 1. In the start menu, search for and run View network connections 2. Click on RiseupVPN, and then right click to create a shortcut. 3. When prompted, save the shortcut to the Desktop. 2. Open the Startup folder. 1. From the start menu, click All Programs then right click on Startup and select Open. 2. Alternately, type “shell:startup” in the start menu search. 3. Drag the file RiseupVPN – shortcut from the Desktop to the Startup folder. 4. That is it. NOTE: I have not actually been able to get this to work. Anyone been successful?

Removing the RiseupVPN
1. Control Panel > Network and Internet > Network and Sharing Center 2. Click Change adapter settings in the left panel. the path changes to: Control Panel > Network and Internet > Network Connections 3. Click RiseupVPN (or whatever you called the VPN profile) 4. Click Delete this connection Alternately, search for ‘view network connections’ in the start menu.

Setting up PPTP
PPTP is already built-in to your desktop computer and can be easier to set up. You do not need to download or install any special software. Although PPTP has several security vulnerabilities, it is probably more than adequate for most situations. If you have reason to believe that a determined attacker is specifically targeting your communication, such as a government or large corporation, you should definitely use OpenVPN and not PPTP. Having said that, Riseup uses PPTP in the most secure way possible: we require very long VPN secrets and we accept only the more secure and up-to-date types of PPTP connections.

Generating a VPN secret

We cannot use normal Riseup passwords for connecting via PPTP. Instead, you must visit and generate a VPN Secret. You will use this VPN Secret in place of a password when configuring PPTP.

In a nutshell
 

protocol: PPTP vpn server: choose one close to you VPN Server Location Western US Eastern US

 

username: your login. password: a special VPN Secret as explained before .

PPTP on Linux
Configuring PPTP on GNU/Linux.
  

PPTP with Gnome VPNAutoconnect PPTP with KDE

To use PPTP, you must first generate VPN secret. For Gateway, choose one of the following: VPN Server Location Western US Eastern US

PPTP with Gnome Support for PPTP is probably already installed on your system. 1. 2. 3. 4. 5. Open System > Preferences > Network Connections Choose the tab VPN Click Add Choose PPTP for the connection type, and then click Create… Fill out this information: o Connection name: riseup pptp o Gateway: choose from the list above o User name: Your login o Password: The special VPN secret o Advanced: You must enable MPPE (User Point-to-Point Encryption) and MSCHAPv2. 6. Click apply.

Procedure Let's assume have your credentials from your VPN provider for PPTP ready. This information should contain the following: Username, ex. bill
 

Password, ex. verysecretpassword VPN server, ex.

Before getting started, please be sure you have read the paragraph "testing before and after account set up". In this way you will be able to validate if your connection is actually working after set up. If you have installed all software in the previous chapter, we are now ready to go. Setting up PPTP is very simple in Ubuntu: first we open the VPN network setting, by using the NetworkManager Utility. Just next to your system clock (were you also set your WiFi setting), just click on it and the following menu pops up. Choose Configure VPN (under VPN Connections).

A new window will pop-up, showing your VPN connection. This list is empty if you have not configured a VPN before. Simple choose: Add

The next window will show you the available options. In This case make sure you choose Pointto_point Tunneling Protocol (PPTP). If you have selected this protocol choose "Create ..."

In the next pop-up fill out the required information. The connectname is just the name to identify this connection with. The gateway is the server address of the VPN provider, in this case "" are self explanatory. The fields "User name" and "Password" Please pay special attention to the "Connect Automatically" option. If enabled, the VPN will be always online (if available). This setting is recommended if you have an unlimited dataplan with you VPN provider. Gate way in following figures are typical and you should replace them with Riseup gateway. Also it's needed to enable encryption. This can be done with the advanced options, so choose "Advanced...

In the advanced options screen enable: "Use Point-to-Point encryption (MPPE)". The utility will give you a warning that some authentication methods are not possible with MPPE. This is the

expected behavior. You can confirm the settings with "OK" to return to the previous window. Please "Apply" this window, and we nearly ready to go.

Now you will return to the overview. If everything went fine, you will have a new connection now. Here it's called "VPN to Greenhost". You can close this window now, your settings are complete.

Now, let's activate the VPN. Hit the Network Utility Tool again, browse to "VPN Connections" and next "Click on VPN to Greenhost

If everything went fine, look at the small change in the notification icon: this should now give you a "lock" icon next to the Wi-Fi signal.

VPNAutoconnect There is a longstanding bug in Network Manager that prevents the VPN from connecting when you login or reconnecting if the VPN connect gets dropped. In order to fix this problem, we suggest you install VPNAutoconnect from here: . If you are running Debian or Ubuntu, download and open the appropriate .deb file (i386 is for when you have installed a 32-bit system, and amd64 is for when you have installed a 64-bit system).

Alternately, if you are running Ubuntu, you can add the VPNAutoconnect repository: sudo apt-add-repository ppa:barraudmanuel/vpnautoconnect sudo apt-get install vpnautoconnect Once installed, the VPNAutoconnect icon should appear in your task bar. It looks like this:

Right click on that icon and select preferences. Make sure that Follow Parent and reconnect is checked, if you want the VPN to start automatically. Next, click on the little top tab with an arrow on it:

You will get a form to add a VPN profile that should autoconnect:

 

for Parent Connection, most people will choose ‘eth0’ For VPN connection chooses the VPN profile you just added in Network Manager.

Click Save and you are done. Note that if you are using OpenVPN and your home directory is encrypted, the connection will not automatically start up when you login if the Certificate Authority file is stored in your home directory.

Alternatively, On Suse Linux (Using Gnome) 1 – Use the Software Management, search for VPNC, PPTP, SMPPD, NetworkManager and install them all 2 – Then download the NetworkManager-pptp from r-pptp – you can select the desired version of the OS. 3 – Restart the NetworkManager and then create your PPTP VPN Tunel

Using KDE 1 – Use YAST, search for VPNC, PPTP, SMPPD, KVPNC and install them all 2 – Run KVPNC and create a profile in order to connect On Debian based distros (Debian, Ubuntu, Kurumin)

Using Gnome 1 – sudo apt-get install network-manager-gnome network-manager-pptp 2 – Launch or restart the Network Manager

Using KDE 1 – apt-get install KVPNC 2 – Launch KVPNC and create a profile in order to connect If you have problems connecting, check your firewall. To download different version of VPNpptp-kde of Linux system see link below: And its source path here

PPTP on Android
Unfortunately, nearly all versions of Android have a bug that prevents secure PPTP from working.

Configuring PPTP for Mac OSX
1. 2. 3. 4. 5.
    

Go to your Applications folder and open “Internet Connect” Select VPN on the top menu bar Now select PPTP From the pull down menu, select “edit configurations” Now, fill out the following: Description: Riseup VPN Server address: choose a server close to you Account name: Your Riseup user name Check the ‘Password’ radio button, and use the special VPN secret that you get from for the password Encryption: Select “maximum”

That should do it!

Configuring PPTP on Windows
How to connect to the RiseupVPN on Windows using PPTP

Windows 7 o Create a RiseupVPN connection  Step 1 – open VPN setup  Step 2 – username and password  Step 3 – confirmation o Starting and stopping the RiseupVPN o Configure the VPN to connect without prompting for your username and password. o Automatically start the RiseupVPN on startup o Removing the RiseupVPN

Windows 7
Create a RiseupVPN connection Step 1 – open VPN setup Search for “VPN” in the Start Menu and select Set up a virtual private network (VPN) connection

You will get a form that looks like this:

In place of, you can pick one of these vpn servers: VPN Server Location Western US And then click Next Step 2 – username and password
1. Fill out username and password:

Eastern US

The username is your login. To generate a new password first go to then click VPN on sidebar and make new VPN secret password. 2. Check Show characters and Remember this password. Leave Domain blank. 3. click Connect Step 3 – confirmation If it worked, you should see this:

How to set up PPTP VPN on D-Link Connect the WAN port of your D-LINK router to your LAN or one of the free LAN ports of your broadband router. This will in most cases mean that you will have 2 routers. The first one is your regular broadband router and the second is the router that serves your VPN network. Go into the admin interface of the router and select a LAN address range that doesn't interfere with your regular LAN address range. Be sure to enable DHCP. Click Save and your router will reboot.

Access your router on the new LAN address and go into the Internet Setup menu. Continue with the Manual Internet Connection Setup

Set your internet connection to Russia PPTP. For your IP address, select Dynamic. This assumes that your original LAN has a working and properly configured DHCP server. For server IP, use one of the server names from your subscription confirmation email. PPTP account is your username from your VPN provider such as USAIP or … PPTP password is your password from your VPN provider such as USAIP or …

Go back to the Status tab to make sure that your VPN connected

Set up the WIFI as you wish if you want to connect WIFI clients. Now all WIFI and LAN clients connected to this router will use the VPN. If you have random data disruptions, go back to the WAN configuration and set the MTU value to 1400 and reboot your device. To disconnect the VPN, power off the router. One you power it back on, it will connect to the VPN automatically.

How to set up PPTP / L2TP on DD-WRT Please see DD-WRT compatible routers on DD-WRT: . Connect the WAN port of your router to your LAN or one of the LAN ports of your broadband router. This will in most cases mean that you will have 2 routers. The first one is your regular broadband router and the second is the router that serves your VPN network. Go into the admin interface of the router and select a LAN address range that doesn't interfere with your regular LAN address range. Click Save and your router will reboot. -Access your router on the new LAN address and go into the WAN menu. Select PPTP. Please test your network that it doesn't block PPTP beforehand using our demo account and PC. For gateway (PPTP server), use one of the server names from your subscription confirmation email. Set DHCP to yes. This assumes that your original LAN has a working and properly configured DHCP server. Set the WAN connection mode to automatic. Click Save. Your router may reboot. If your router becomes unresponsive, unpower it and power it back on.

Set up the WIFI as you wish if you want to connect WIFI clients. Now all WIFI and LAN clients connected to this router will use the VPN. To disconnect the VPN, power off the router. One you power it back on, it will connect to the VPN automatically.

Hotspot Shield
Hotspot Shield is a free (but commercial) VPN solution available for Microsoft Windows and Mac OS, which can be used to access the uncensored Internet through a secure tunnel (over your normal, censored Internet connection). Hotspot Shield encrypts all your communications, so your censor's surveillance software can't see what sites you're accessing. General Information Supported operating system Localization Web site Support English FAQ: E-mail:

How to get Hotspot Shield Download the software from The file size is about 6MB, so on a slow dial-up connection this can take up to 25 minutes or more. If the download is blocked from where you are trying to access it, write to and include at least one of these words in the subject line of your e-mail: "hss", "sesawe", "hotspot" or "shield". You will receive the installer as an e-mail attachment in your inbox. Important: if you are using Firefox with the NoScript extension enabled, you may experience some issues when trying to use Hotspot Shield. Make sure that all URLs that Hotspot Shield connects to; are whitelisted, or that you temporarily allow scripts globally while using this service.

Installing Hotspot Shield
1. After a successful download by installer, locate the downloaded file on your computer and start the installation by double clicking the icon

2. Windows may ask you for permission to install the software. Click Yes.

3. Select your preferred installation language from the dropdown menu.

4. After you select the language, you will see a welcome screen. Click Next.

5. Accept the license agreement by clicking on "I Agree".

6.You will see a window informing you about additional software which can be installed optionally. Click Next.

7. On the next screen you can uncheck the option to install the optional Hotspot Shield Community Toolbar. This feature is not needed to run Hotspot Shield.

8. Additional options will be presented at the next screen. All these features are optional, and you don't need any of them enabled to run Hotspot Shield.

9. Select the location on your hard drive where you want Hotspot Shield to be installed. In most cases you can leave the default values and proceed by clicking Install.

10. Windows may request additional permissions several times to install different components of Hotspot Shield. You can safely proceed by clicking Install every time.

11. When the installation is completed, click Next.

12. Finally, you can launch Hotspot Shield immediately after installation and you can create an icon for your desktop. Choose your preferences and click Finish.

Hotspot Shield is now installed on your computer.

Connecting to the Hotspot Shield service 1. Click on the Hotspot Shield Launch icon on your desktop or from the menu Programs > Hotspot Shield. 2. Once you launch Hotspot Shield, a browser window will open with a status page showing different stages of the connection attempt, such as "Authenticating" and "Assigning IP address".

3. Once connected, Hotspot Shield will redirect you to a welcome page. Click Start to begin surfing.

4. Please note that after you click Start, Hotspot Shield may redirect you to an advertisement page such as the one displayed below. You can close this tab and start surfing the Web as usual. You can check that you are connected to the Hotspot Shield service by looking at the green Hotspot Shield icon in your system tray (next to the clock).

5.To check your connection status, simply right click on the Hotspot Shield system tray icon and select Properties.

Disconnecting from the Hotspot Shield service 1. To disconnect from the Hotspot Shield service right click on the system tray icon (see image above) and select Disconnect/OFF. 2. Hotspot Shield will ask you to confirm this action. Click Disconnect.

3. A status window will appear confirming you are now disconnected and surfing on your normal (filtered) connection. Click on the "CONNECT" button to resume circumvention.

PacketiX.NET is unrestricted freeware free service offered by SoftEther Corp as an academic experiment run by the University of Tsukuba in Japan. Unlike Hotspot Shield and countless other VPN clients, it is not based on OpenVPN but instead uses a proprietary system. Like most other VPN connections, it encrypts all of your Internet activities. The actual client itself is very customisable and powerful allowing you to get the most out of your VPN connection. There are a number of features from setting the number of TCP connections and/or enabling data compression to maximise throughput. The actual speed you get ultimately depends on your geographic location in relation to Japan. This means that a lot of people may experience slow connections (especially Europeans). The GUI is very simple and easy to use. Installation is somewhat simple but you need to download the client and an additional configuration file. They have a nice tutorial on their website that guides you through the whole process to make your life easier. Whilst they do keep logs, they are open about it. You have to read and accept an agreement that you will not use the service 'to do crime' as they put it. As long as you're not doing anything you shouldn't be doing, it shouldn't concern you greatly. Here are some of my personal ratings and a few technical points regarding the program: Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: Server Location(s): Japan Medium High Unlimited High. Logs are kept permanently.

Operating System(s): Rating: Excellent. 19MB of RAM usage when running. It Runs as a stand-alone program on a user's computer and is secure, ad-free, highly customisable and powerful client. Cons: Data transfer speeds depend on your geographic location in relation to Japan, slow updates, privacy and/or anonymity is not guaranteed as they log everything. Developer’s website: Download page: Version: 2.20 Build 5351, file size: 17 MB, 64 Bit compatibility: 32 bit but 64 bit compatible, System requirements: 95 - 7, Linux/Unix

Setting If you use the ActiveX control to install the PacketiX VPN Client, your client is preconfigured and ready to go. If you install the client manually, use the following settings to set up your connection manually or download the setting file. Setting Item VPN Server host name VPN Server port number Virtual Hub name User name User authentication Connection Setting File Download To automaticly configure the connection to the Virtual Hub, you can download a connection setting file (*.vpn), which can be imported into the PacketiX VPN Client Connection Manager. Download Connection Setting File (secure.vpn): Value 443 PUBLIC PUBLIC anonymous

Configuration for Connecting over a Proxy Server If you connect to the Internet over a HTTP or SOCKS proxy server, it is necessary to change the VPN Client settings.

JanusVM is a VMware based, Tor/Privoxy/Squid/OpenVPN client, or as they like to call it, an 'Internet Privacy Appliance'. This really is a superior product compared to other Tor solutions as it combines the power of Tor, Privoxy, Squid and OpenVPN to increase anonymity. I would recommend this option for intermediate-advanced computer users as it's not simply a case of 'click-click-done' with this one. It requires the installation of VMware Player (which is free), the configuration of a VPN connection and some background reading (albeit quite minimal). They also have a nice video tutorial for beginners who wish to try out this solution. VMware Player is required to be running every time you want to use JanusVM. While this may not be an issue for most, those with older hardware might struggle to run virtual machines altogether. Apart from the potential technical difficulties with running the virtual machine, it can be highly inconvenient for some to have it running all the time. This is the kind of decision you will have to make when considering anonymity options. One hundred and twenty-eight MB of RAM is a bare minimum to run a virtual machine! If you have this amount of RAM, considering upgrading to a higher amount. Once JanusVM is set up correctly, you need to configure your operating system's network connection manager to dial into JanusVM. The people over at project JanusVM also offer a hardware based solution, dubbed JanusPA! It's really interesting as it encrypts all of your data going through your ADSL modem or router meaning literally nothing can get through that isn't 'Torified'. More information can be found here!: They are currently out of stock but it's worth a look anyway. Here are some technical points regarding the program:
 Speed Rating:  Anonymity Rating:  Usage Allowance: 

Generally slow High Unlimited Unknown. It varies from peer to peer. Some may log you and Worldwide

Logging Level: some may not.
 Server Location(s):  Operating System(s):

 WOT Rating: Excellent  53 MB of RAM usage when running.

It Combines a web service with a stand-alone program Pros: Highly secure, forces programs to use Tor. Cons:Requires VMware Player to be installed and running, may not be as secure as other solutions, speeds fluctuate but are generally slow. Developers website: Download page: Version: July-2010 Download file size: 42 MB License type: Unrestricted freeware System requirements: 95 - 7 Additional information: VMWare Player or Server is required

JanusVM Features * Works with WiFi. * Support multiple users in a LAN. * Protects you from most man-in-the-middle attacks. * Protects you from Javascript, Java, and Flash based side-channel privacy attacks. * Protects your identity and your true location by masking your IP Address. * Encrypts and re-routes your DNS request and ALL TCP traffic to ensure strong privacy. * Strips out most privacy sensitive information your web browser may leak. * Blocks popups, annoying ads, banners, and other obnoxious Internet junk. * Very simple setup and operation. * Works transparently for applications using TCP. (No UDP or ICMP support)

Setup JanusVM and use in Windows:

ProXPN is a VPN client based on OpenVPN, however there is a PPTP service also on offer for mobile phone users. They currently have servers located in the USA and are looking to expand into Europe; therefore, speeds may vary depending on your location. Overall, speeds are generally very fast for most users. With it being a VPN client, it encrypts all of your Internet activities. They use a 512-bit level of encryption with 2,048-bit certificates for users to achieve high levels of anonymity. Unfortunately, registration is mandatory in order to use the service. Of course, for the extremely paranoid folk among you, fake details may be provided; however, a real e-mail address must be used in order to activate an account but again, this e-mail address could also be fake. Sorry if I confused anyone with that last sentence! The GUI is very basic and somewhat user-friendly, though could use a little reworking (removal of some tabs and integrating some controls into one window would be a nice start). One problem I've encounted is that proXPN seems to run on start-up by default for me and cannot be stopped easily. As far as I know, this problem only occurs in Windows 7 Professional 64-bit. Use the comments section for assistance with this. It's available for a wide variety of operating systems, including Microsoft's modern operating systems, such as Windows XP, Windows Vista, Windows 7 and Windows Mobile, as well as a range of Apple based operating systems, such as Mac OS, iPhone and iPod Touch. It may work for older operating systems such as Windows 98 and 95 but they are not officially supported. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance:

Fast (up to 1000 kbps) High Unlimited

Logging Level: Minimal. They log connection time and date, your bandwidth usage and your registration details. Logs are kept for a roughly 2 weeks. Server Location(s): Operating System(s): WOT Rating: Excellent. 3.6MB of RAM usage when running (+3MB for OpenVPN). It combines a web service with a stand-alone program Pros: Slim, fast, cross-plaform and secure. Cons: Registration required, GUI could use some work, more servers would be nice, may load on start-up unexpectedly. USA

   

Developers website: Download page: Version: 2.4.2 Download file size: 2.5 MB License type: Unrestricted freeware System requirements: 95 - 7, Macintosh, Windows Mobile, iPhone and iPod Touch What proXPN does...?
   

upgrades your internet connection with VPN encryption secures all types of connections from DSL and cable to 3G gives you 100% private access to the internet get an IP address in the USA, UK, or NL

With proXPN nobody* can...
    

see the websites you visit hijack your passwords, credit cards, or banking details intercept and spy on your email, IMs, calls, or anything else record your web history run traces to find out where you live

ProXPN Windows Installation Windows Installation of proXPN On the proXPN setup wizard Click "Next " to see License agreement

Just click "Agree" here to continue installation. Then Let the installer run until completion.

Just click the "Finish" button to complete the installation.

New Account Setup; Welcome to the proXPN client. Click the "Don't have an account?" link to create a new account and Enter your email address and the password of your choice.

Enter your email address and the password of your choice. Then check the license agreement checkbox and click the "I agree - create account" button.

Finish signup; Click "OK" to finish the account signup process in the software client and Verify your signup request

Check your email for a greeting email from proXPN. In that email is a link which you will need to click in order to activate your free account. If it doesn't show up within a reasonable timeframe, make sure to check your spam folders. Once you've clicked the link in the email, your account should be active. Go ahead and click the "connect" button to connect to proXPN.


Once you connect, the system tray icon will turn green. You're now surfing safe and secure, courtesy of proXPN

ProXPN Mac Install A step by step tutorial for installation of the proXPN beta client for macintosh OS X 10.5 and later. Install the proXPN Mac Beta App

Drag the proXPN icon into your Applications folder. Confirm that you want to proceed

The usual mac warning about installing something downloaded from the internet. Click "Open" to proceed. Your mac wants another confirmation. This time, your mac is asking you to provide your mac admin login - this is your mac username and password, not your proXPN login.

Installation complete!

Notice the red lock icon in the menubar - when you click on this, you'll see a menu of items. Select "Connect" to proceed.

Your mac really likes those confirmation screens . . .

Here it is again. The mac user/pass prompt. This is your mac asking you if you really want to to make some changes to the proXPN configuration file. Click "OK" here.

The proXPN Login Screen

Finally! Here you want to enter the email and password that you signed up at proXPN with. You can also save this login in your mac keychain. Once you're ready, click "OK" here. Yeay, we're connected!

Once the lock icon turns green, you're now surfing safe & secure, courtesy of proXPN. iPhone Setup - proXPN Step-by-step guide to iPhone setup for proXPN Please note that PPTP VPN for iPhone is available with proXPN Premium accounts only. Existing free proXPN users can login here: to upgrade. Open your settings screen. To begin, open your settings screen and Open "Network" settings

Click the "Network" menu item. VPN Settings and Click the "VPN" menu item. Add VPN Configuration

Click the "Add VPN Configuration". Configure proXPN Connection. Make sure that the settings on this screen on your iPhone match those above. The only difference should be the username, password, and the server (and at your option, the Description) - you'll want to use the email address and password that you signed up with. Click here for a list of proXPN server locations: please ensure that you have activated your account prior to attempting to connect by clicking the

link in the email that was sent to you when you signed up for proXPN. When you're finished with this screen, press the "Save" button. Connect to proXPN

After saving your settings in the previous step, simply go back to your home screen and then open your main settings screen. Turn VPN "ON" and wait for it to connect. When you are connected to proXPN, you'll see a little VPN icon on the top status bar next to the clock.

USAIP is a PPTP/L2TP/OpenVPN VPN service. They have servers in the United States of America, the United Kingdom, Germany, the Netherlands, Hungary and China, so overall, most people around the world should receive good connection speeds. Since PPTP and L2TP are protocols, they are not bound to any one operating system, although Microsoft played a major part in its development. Therefore, you can use the USAIP service by utilising the standard network connection manager program found within most modern Windows distributions, such as Windows 2000, Windows XP, Windows Vista and Windows 7, as well as Microsoft's archaic legacy operating systems, such as Windows ME, Windows 98 and Windows 95 (but honestly, if you're using any of these operating systems, I have one question for you; why?!). USAIP may be used in other operating systems too, such as MAC OS and Linux which include VPN clients within their respective operating systems. The program effectively tunnels all of your data through this service, which means not only your web browsing session is anonymous, but all of your Internet activities are anonymous. This is useful for apps that use other protocols, such as UDP. I used to play online games using this service and my ping was higher than many of the programs listed here can offer. The free service has unlimited bandwidth and you can use it for as long as you wish. However, there is a catch. They allow you to try their service for absolutely nothing, but disconnect you every 7 minutes to entice you to upgrade to one of their premium packages. We can't complain as we can just redial once we've been disconnected! Most of the network connection programs have an automatic redial function available so make good use of it. Being disconnected every 7 minutes can be unnoticeable, but as I wrote earlier, playing an online game and being disconnected is very noticeable! I'd recommend this as a backup to some of the other services listed on this page. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: hours. Server Location(s): Operating System(s): WOT Rating: Unknown. USA

Fast High Unlimited Minimal. They log bandwidth usage and keep them for 48 UK Germany The Netherlands China

  

It is a web service or web application Pros: Reasonably good speeds, no installation necessary, multi-platform. Cons: Disconnects every 7 minutes. Developers website: Download page: License type: Unrestricted freeware System requirements: 95 - 7, Macintosh, Linux/Unix

FREE Forced disconnects VPN guard Automatic VPN reconnect Global access DNS forwarding proxy Unlimited speed Unlimited data transfer Purchase online Watch TV online Register to services online Play online Receive email Send email VOIP Skype Yahoo messenger ICQ PPTP L2TP SSTP Every 7 minutes No No No Yes No, 200kbit/s Yes No Yes May be restricted May be restricted Yes No May be limited Yes Yes Yes Yes Yes Yes

PAID Never Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

For all those who want to set up the demo account manually and need the server names, please use one from the following list. China: Hong Kong: Netherlands: Sweden: UK 2: USA Colorado: Germany: Hungary: Pakistan: UK 1: Ukraine: USA Missouri:

When prompted for username and password, use the following: USERNAME: demo PASSWORD: demo Download our connection tool from Unzip and install it. Locate the autoconnect icon on your desktop to launch.

The connection tool will open as below.

VPNReactor is a L2TP/PPTP/OpenVPN VPN service similar to USAIP. They currently only have servers in the USA so speeds may vary. Most of the points that were mentioned about USAIP apply to this product. The only major differences are that the free service has unlimited bandwidth and usage, however, the VPN connection disconnects every 30 minutes. Registration is mandatory, and they also require users to reactivate their accounts monthly. I'm not sure if they support mobile devices, but in theory they should support devices that use PPTP or L2PT. Here are some of my personal ratings and a few technical points regarding the program:
      

Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: Server Location(s): Operating System(s): WOT Rating: Excellent. USA

Fast High Unlimited Minimal

It is a web service or web application Advantage: Reasonably good speeds, no installation necessary, multi-platform. Disadvantage: Registration required, monthly activation required, disconnects every 30 minutes. Developer's website: Download page: License type: Unrestricted freeware System requirements: Win 95 - 7, Macintosh, Linux/Unix, iPhone and iPod Touch.

SecurityKiss is a simple Windows VPN client based on OpenVPN. They have servers located in Germany, the United States of America, The United Kingdom, Switzerland and are looking to expand into other locations. Speeds are relatively fast depending on your location to the nearest server. They do not cap speeds and use data compression to ensure you get the very best connection. There is a 300 MB per day limit for free users which they insist will always be free, will never decrease but may increase in the future. This would work out as roughly 9GB a month which is more than adequate for surfing the web or very light to moderate downloading activities. The GUI is very basic; it features a connect and a disconnect button, a button to change servers and a button to leave feedback. It also displays how much of your daily download quota has been used and how long before a new cycle begins. SecurityKiss insist they do not keep personally identifiable data about their users and only log your IP addresses, connection/disconnection times and traffic volume. They use the 128-bit Blowfish algorithm to encrypt session data and use 1024-bit RSA certificates for session keys so users can be assured that nobody can eavesdrop on your data. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance:

Fast High Medium 300 MB per day IP address,

Logging Level: Minimal. They only log your connection/disconnection times and traffic volume which are kept permanently. Server Location(s): USA UK Germany Switzerland

   


WOT Rating: Unknown. 2MB of RAM usage when running (+3MB for OpenVPN). Available for both 32-bit and 64-bit Windows. It combines a web service with a stand-alone program Advantage: Simple GUI, fast, lots of servers, secure 300MB/day. Disadvantage: Usage cap. Developer's website: Download page: Version: 0.1.5 Download file size: 2.3 MB License type: Unrestricted freeware

System requirements: 95 - 7 During the installation you need to accept the warning. This step is necessary in order to ensure that the installation is complete. This is not a threat to your computer.

How to install Tunnelblick SecurityKISS on Mac If you couldn’t to download Tunnelblick from the website, send an empty email to and the download link will be sent to you in reply.Download and double click the dmg file. It will install Tunnelblick_SecurityKISS disk image

Open the disk image. Then Drag and drop Tunnelblick_SecurityKISS program to desktop

Double click the program and confirm 'Open'

First run requires entering administrator password

Click the Tunnelblick icon in the top right corner of the screen and select SecurityKISS server configuration

Wait until the tunnel is connected

You can verify if your IP address has changed by opening our geolocation website:

Configure OpenVPN in Linux Network Manager

Here is describes how to configure OpenVPN connection to SecurityKISS servers using Linux Network Manager. The screenshots come from Ubuntu 11.10 (Oneiric Ocelot). As a prerequisite you need to have root privileges and the configuration bundle you can download from SecurityKISS Client Area: Step 1. Download SecurityKISS config files Check your current working directory sk@ubuntu:~$ pwd /home/sk Download the configuration bundle (use the download link you genereted in SecurityKISS Client Area) sk@ubuntu:~$ wget -N 456.tar.gz Unzip the files sk@ubuntu:~$ tar xf securitykiss_linux_client00363672.tar.gz View the README.txt file to find the list of SecurityKISS gateways sk@ubuntu:~$ more securitykiss_linux_client00363672/README.txt Country City IP Address Proto Port UK Manchester udp 123 UK Manchester tcp 443 ... Step 2. Install Network Manager plugin for OpenVPN Open terminal

In the terminal type the following command to install the plugin. You will be prompted for root password. sk@ubuntu:~$ sudo apt-get -y install network-manager-openvpn [sudo] password for sk: ******* Network Manager requires restart: sk@ubuntu:~$ sudo restart network-manager Step 3. Configure OpenVPN connection In the network connections find 'Configure VPN'. Then Select VPN tab

Add new VPN connection, and then choose a VPN connection type. Press Create

Enter connection name indicating server location, protocol and port. In the Gateway field enter one of the IP addresses from the list you found in README.txt. Authentication type should be 'Certificates (TLS)'. Next click to select User Certificate.

Navigate to the location where you unzipped config files (probably it will be /home/$username/securitykiss_linux_clientxxxxxxxx). then Open client.crt file

Do the same for CA Certificate. But open ca.crt

And the same for Private Key. But open client.key

Select Advanced button

Tick 'Use LZO data compression' and 'Use custom gateway port' checkboxes. Enter port number according to the selected server from README.txt. If the server you selected from the list is marked as TCP you also need to tick 'Use a TCP connection'

Accept and save the settings

Step 4. Test the tunneled connection Connect from the VPN connections

You can verify if your IP address has changed by opening our geolocation website:

You can set up other servers from the list in similar way.

Where to find the server list? The server list opens in a dedicated dialog window. You may get there from the menu bar or by clicking the bottom panel button.

You can select server with any IP address and TCP/UDP port combination where checkbox is displayed.Tick the checkbox and click Apply. The setting will be saved for the next program runs. If you were already connected in the tunnel, disconnect and connect again. After clicking 'Disconnect' wait a few seconds before reconnecting to let your operating system return to stable state.After successful connection the bottom panel should display the new IP address and corresponding country flag.

UltraSurf is a VPN program for Windows. They have servers located in USA and collect the following data about you; your IP; the properties of browser and/or your computer; the number of links you click within a site; state or country from which you accessed the site; date and time of your visit; name of your ISP; web page you linked to our site from; and pages you viewed on the site. The GUI is very basic with a few standard Windows-like buttons to access options, help and to exit the program. There are radio buttons for server selection and that's all that is interesting about the GUI apart from the server utilisation displays which are helpful in deciding which server is currently the fastest. At the moment, users are unable to change the default port (9666) to a custom one. Users should be aware of any restrictions that prevent the program from listening on that port before attempting to use it. Note: Some antivirus programs falsely identify Ultrasurf as a virus/Trojan as it can penetrate through firewalls. This is a false positive. Please be aware of this if you get any alerts and such. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance:

Fast High Unlimited

Logging Level: High. UltraSurf collect the following data; your IP; the properties of browser and/or your computer; the number of links you click within a site; state or country from which you accessed the site; date and time of your visit; name of your ISP; web page you linked to our site from; and pages you viewed on the site. Server Location(s): USA

 

WOT Rating: Good.  5MB of RAM usage when running. It combines a web service with a stand-alone program Advantage: Simply GUI, very lightweight, no installation necessary, fully portable, reasonably fast and secure, direct support for IE. Disadvantage: Cannot change default listening port, lack of features additional features, only support and integration with IE. Developer's website: Download page: Download file size: 1.1 MB License type: Unrestricted freeware Portable version available: A portable version of this product is available from the developer. System requirements: 95 - 7

CyberGhost VPN
CyberGhost VPN is a VPN client offered by S.A.D. GmbH and their servers are based in Germany. They use 128-bit AES encryption on all connections to ensure a high level of anonymity and use special data compression techniques to make speeds faster. For their free service, they offer 1 GB a month which is more than enough for surfing the web. It has a clean and intuitive GUI which is attractive and user-friendly. It supports lots of languages including English, German, French, Italian, Spanish, and Polish. This is a more 'complete' solution compared with others listed here which is great for everyone. You may have to wait in a queue during peak times due to the service's popularity. I am very pleased with this product and its well worth a look to anybody that is serious about their privacy and anonymity. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: VPN team. Server Location(s):

Fast High Low (1 GB a month) Unknown. Awaiting a response from the CyberGhost

   


WOT Rating: Excellent. 27MB of RAM usage when running. You must register in order to use this service. Product type: it combines a web service with a stand-alone program Advantage: Nice GUI, relatively fast. Very secure lots of support. Disadvantage: Registration required, only 1 GB allowance, you may have to wait in a queue at peak times. Developer's website: Download page: Version: 4.7.18 Download file size: 12.47 MB License type: Unrestricted freeware System requirements: 95 - 7 Warning: Downloads from Cnet ( now require the use of a proprietary installer.

Easy to use The procedure involved sounds very complicated, but we have actually made it very simple. Take the following few steps to make yourself anonymous: -Download and install the software -Start the software -Create an account if you are using the software for the first time : -Log in to the CyberGhost VPN system -Connect to the service you want -DONE... you're now surfing anonymously. -This not only protects the browser, but also all the programs running on your PC. -This includes, for instance, browsers (Mozilla Firefox, Opera, Internet Explorer, etc.), messengers (ICQ, MSN Messenger, Skype, etc.), download clients (HTTP, FTP, BitTorrent, etc.) and games (WoW, CS:S, etc.). -Using VPN technologies and separate servers enables you to reach speeds with us which normal proxies or cascades can never offer. CyberGhost VPN uses 128-bit AES encryption to enable you to surf the Internet anonymously. The IP address that you have been assigned by your access provider is concealed and your data traffic is protected against eavesdropping. Protecting your data transfers on the Internet If you have a lost connection, CyberGhost VPN protects your data transfers from becoming visible by automatically reconnecting (only in the Premium version) or interrupting all your other data transfers immediately. The Premium version already comes with 2 GB of completely encrypted data storage. Your data is as secure there as in Fort Knox because no one can crack 256-bit AES encryption. Up to 30% faster access to websites Thanks to the use of compression technology, CyberGhost VPN surfers can access many websites up to 30% faster. Additional firewall functionality CyberGhost VPN also happens to be a totally reliable firewall. Our VPN servers operate by providing a disguise, thereby preventing the possibility of your computer being attacked. Anyone who cannot be seen on the Internet cannot be attacked either. In addition, the VPN server's firewall blocks all incoming data traffic, which provides an extra precautionary measure while you surf anonymously in absolute security.

Your Freedom is a Java-based 'sophisticated tunneling solution' brought to you by resolution GmbH. Again, being Java-based means that is truly a cross-platform solution. The GUI is nothing to write home about, it's a plain and simple looking Java GUI. They have servers located worldwide, have support for lots of protocols (such as UDP) and allow you to play online games using the tunnel. However, the speeds are on the slow (64 kbit/s dial-up speed) for free users and they also limit usage of the proxy tunnel to up to 6 hours per day or up to 15 hours per week. It's not much at all and that is why I recommend this service as a backup solution. They only keep logs of your statistical data for accounting purposes. It connects you to a network of about 30 servers across ten countries. Your-Freedom also offers advanced services like OpenVPN and SOCKS, making it a relatively sophisticated tool to bypass Internet censorship.

General Information Supported operating system Localization Web site 20 languages Forum: User guide:


  

Speed Rating: Anonymity Rating: Usage Allowance: week.

Slow. 64kbits/s (Dial-up speed). High Low. Up to 6 hours per day and up to 15 hours per

Logging Level: Minimal. They only keep logs of part of your IP (16bit or half of your IP address) and your statistical data for accounting purposes only and are usually deleted within 4 weeks. Server Location(s): Operating System(s): WOT Rating: Excellent. Worldwide

  

It combines a web service with a stand-alone program Advantage: Servers located worldwide, support for many protocols. Disadvantage: Restricted usage up to 6 hours per day or 15 hours per week, dial-up speeds. Developer's website: Download page: Version: 20111201-02 Download file size: 12.02 MB License type: Unrestricted freeware System requirements: 95 - 7, Macintosh, Linux/Unix

Preparing the use of Your-Freedom First, download the tool for free from If you already have Java installed, you can download the small version which is about 2 MB. To check whether Java is installed, visit If you don't have Java installed, download the full installer, which is about 12 MB. All files are also available from If you live in a country where the government censors access to the Internet, Your-Freedom may work for you with the Sesawe account (username: sesawe, password: sesawe). If that doesn't

work you have to register for an account. To get started, register a free account on the Web site

Click the "First visit? Click here to register" link below the two login fields.

On the next page, enter the required information. Only a username, password, and e-mail address are needed. Other information is optional.

You will see a message that your registration is almost complete and within a few seconds, you should receive an e-mail at the address you provided.

Click the second link (the longer one) to confirm your registration.

When you see the "Thank you" screen, your account has been activated.

The following instructions and screenshots have been captured under Windows, but all the steps and settings are very similar for other operating systems. Now you are ready to install YourFreedom.

Click on the downloaded file. The file name may vary as new versions are released on a regular basis.

Click Next in the first screen.

In the next screen you can choose if the program should be usable only for your account only or for all users of your computer (common). Then click Next.

Choose the directory for installing Your-Freedom. Most users should accept the default selection. Click Next.

On the next screen of the installer you can alter the name which will be used in the program folder. You can leave the default untouched and click Next.

Choose whether you want to create an icon on the desktop. Click Next again. Here you can see a summary of the decisions you made. Confirm them by clicking Next, or go back if anything needs changing.

Now the installation takes place. This may take a few minutes, depending on your PC.

Finally the installation is ready. Quit the installation program by clicking Finish.

Setup Your-Freedom will start automatically. When you later want to start it manually click on the Your-Freedom icon (the door) on your desktop. When you first start Your-Freedom you need to configure it.

The first step is to choose your language. Click on the language you want. You will be able to change the settings later.

Right after the first start you will see the configuration wizard. Click Next.

In the Proxy Server dialog the program will auto-detect the information of a proxy server you can use. Click Next.

In the Select Protocols dialog you should keep the default values and proceed by clicking Next.

Now the Your-Freedom configuration wizard will make several tests to find available servers and check your type of connection and filtering. This may take some minutes. You may get a warning from your firewall (here, for example the one from Windows 7). You can allow access to Your-Freedom.

When the wizard is ready you see the Found Freedom Servers screen where you can choose one server and click Next again.

Now enter your previously created account information. If you don't have one, you can get a free access by sending a request to the email address: ( this service is offline temporally ) Click Next.

When you see the "Congratulations!" screen, the configuration wizard is ready. Click on Save and Exit. Your-Freedom is now running on your computer, and you can see an icon in your task bar.

For additional security and better ways to bypass filters you should tweak the options by clicking on Configure in the main Your-Freedom window and selecting the options shown in the screenshot below. Then click Save and Exit.

Now Your-Freedom is connected to a server and provides a local proxy that you can use with your preferred software such as Internet Explorer or Firefox. To automatically configure them, click on the Application tab in the main Your-Freedom window, select which software you want to use and click OK. Your-Freedom will automatically configure that software so that it connects over the encrypted Your-Freedom tunnel to the Internet.

To make sure you are using Your-Freedom correctly go to the Web site and check the Your Footprint section on the left. If the country detected is not where you are, you are successfully using the encrypted Your-Freedom tunnel to access the Internet.

Tor - The Onion Router
For Digital Anonymity and Circumvention
Welcome to the exciting world of Tor! The page will be a pure tutorial to get you up and running, in the fewest steps possible. Tor is designed to increase the anonymity of your activities on the Internet. It disguises your identity and protects your on-line activities from many forms of Internet surveillance. Tor can also be used to bypass Internet filters. Tor (The Onion Router) is a very sophisticated network of proxy servers.

General Information Supported operating system Localization Web site 13 languages Mailinglist: FAQ: IRC: #tor on with major web browsers, especially Mozilla Firefox



Your traffic is safer when you use Tor, because communications are bounced around a distributed network of servers, called onion routers Instead of taking a direct route from source to destination, data packets on the Tor network take a random pathway through several servers that

cover your tracks so no observer at any single point can tell where the data came from or where it's going. This makes it hard for recipients, observers, and even the onion routers themselves to figure out who and where you are. Tor's technology aims to provide Internet users with protection against "traffic analysis," a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Tor aims to make traffic analysis more difficult by preventing eavesdroppers from finding out where your communications are going online, and by letting you decide whether to identify yourself when you communicate.

Tor is the most recommended and rigorously tested tool for keeping your Internet and online activities private and secure.

Things you should know about this tool before you start Tor is a software tool designed to increase the privacy and security of your Internet activities and habits. It masks your identity and your on-line surfing from many forms of Internet surveillance. Whether or not anonymity is important to you, Tor can also be useful as a secure means of promoting Internet freedom, and circumventing censorship and electronic restrictions so that you may access or publish blogs and news reports. Tor protects your anonymity by routing communications through a distributed network of servers run by volunteers from all over the world. This prevents anyone who may be monitoring your Internet connection from learning what sites you visit, and it prevents those sites from tracing your physical location. As for the Tor proxy server administrators themselves, some of them may discover that you are using Tor, and others may discover that somebody is accessing the sites you visit, but neither will discover both. each of the relays knows only the IP address of two other machines; the one immediately previous to it and the one immediately after it in the chain. Tor can disguise your attempts to connect to a particular website, but it was not designed to hide the content of your on-line communication. As a result, it can add an additional layer of protection when used with secure services like Gmail and RiseUp, but should not be used to access unsecured email providers, such as Hotmail and Yahoo, or any website that receives/sends sensitive content over an unsecured http connection.

The goal of this is unlinkability. Tor makes it very difficult for:
  

your ISP or any other local observer to know what your target Web site is or what information you are sending the target Web site to know who you are (at least, to know your IP address) Any of the independent relays to know who you are and where you go either by directly having your IP address or by being able to correlate browsing habits by consistently observing your traffic.

Related definitions:

Port: a port is an access point through which software communicates with services running on other networked computers. If a URL, such as, gives you the 'street address' of a service, then the port tells you which 'door' to use once you reach the correct destination. When browsing the Web, you typically use port 80 for unsecured sites ( and port 443 for secured ones ( Proxy: A proxy is a software intermediary that runs on your computer, on your local network, or somewhere else on the Internet, that helps to relay your communication toward its final destination. Route: A route is the communication path on the Internet between your computer and the destination server. Bridge Relay: A Bridge Relay is a Tor server that can provide your first step into the Tor anonymity network. Bridges are optional, and are designed especially for use by people who live in countries that block access to Tor.

With what software is Tor compatible?

Tor uses a SOCKS proxy interface to connect to applications, so any application that supports SOCKS (versions 4, 4a and 5) can have its traffic anonymized with Tor, including:
    

most Web browsers many instant messaging and IRC clients SSH clients e-mail clients IRC and more

If you installed Tor from the Vidalia Bundle, Tor Browser Bundle or Tor IM Browser Bundle, Tor will have also configured an HTTP application proxy as a front-end to the Tor network. This will allow some applications that do not support SOCKS to work with Tor. If you are mostly interested in using Tor for Web surfing and chatting, you may find it easiest to use the Tor Browser Bundle or the Tor IM Browser Bundle which will provide you with readyto-use pre-configured solutions. The Tor Browser Bundle also includes Torbutton, which improves privacy protection when using Tor with a Web browser. Both versions of Tor can be downloaded at

Downloading Tor Browser Bundle
You can download the Tor Browser Bundle from the Web site, either as a single file or a "split" version that is multiple files. If your Internet connection is slow and unreliable, the split version may work better than trying to download one very large file. If the Web site is filtered from where you are, type "tor mirrors" in your favorite Web search engine; the results will probably include some alternative addresses to download the Tor Browser Bundle. Get Tor through e-mail: send an e-mail to with "help" in the message body, and you will receive instructions on how to have the autoresponder bot send you the Tor software. Or get it by sending an email to the "gettor" robot at . Remember that the emails to has to come from Gmail, otherwise they won't get a response. Select one of the following package names and put the package name anywhere in the body of your email: • tor-im-browser-bundle • windows-bundle • panther-bundle • tor-browser-bundle

• source-bundle • tiger-bundle Caution: When you download the Tor Browser Bundle (plain or split versions), you should check the signatures of the files, especially if you are downloading the files from a mirror site. This step ensures that the files have not been tampered with. To learn more about signature files and how to check them, read You can download the GnuPG software that you will need to check the signature here: The instructions below refer to installing Tor Browser on Microsoft Windows. If you are using a different operating system, refer to the Tor Web site for download links and instructions.

Installing from a single file In your Web browser, enter the download URL for Tor Browser:

Click the link for your language to download the installation file.

How to Extract the Tor Browser Bundle
The Tor Browser Bundle contains everything you need to safely browse the Internet: the Tor program, Polipo, Vidalia, the portable version of Firefox and the Torbutton add-on for Firefox. This package requires no installation; it simply has to be extracted and run. To extract the Tor Browser Bundle, perform the following steps: Step 1. Double click may appear. If it does, click ; the Open File - Security Warning dialog box to activate the following screen:

The 7-Zip self-extracting archive screen

Note: The Tor Browser Bundle does not automatically install itself in C:\Program Files directory path, unlike in the majority of the installation procedures for our recommended tools. Important: You may also prefer to install and use the Tor Browser Bundle on a USB memory stick. This may help you to conceal the fact that you are using Tor on your computer. Step 2. Navigate to the desired folder path for installing the Tor Browser Bundle and then click to confirm your choice, as shown in the following example:

An example of an installation path for the Tor Browser Bundle Step 3. Click to begin extracting the files and folders comprising the Tor Browser Bundle and activate the Extracting progress status bar as follows:

the Extracting progress status bar In this example, after the extraction process has been completed, the Tor Browser Bundle will appear under the C: Program Files\Tor Browser folder path as follows:

The Tor Browser Bundle installed in the Program Files directory

Installing from split files In your Web browser, enter the URL for the split version of the Tor Browser Bundle (, then click the link for your language to get to a page that looks like the one for English below:

Click each file to download it (one ending in .exe and nine others ending in .rar), one after the other, and save them all in one folder on your hard drive. Double-click the first part (the file whose name ends in .exe). This runs a program to gather all the parts together. Choose a folder where you want to install the files, and click Install. The program displays progress messages while it's running, and then quits. When the extraction is completed, open the folder and check that the contents match the image below:

To clean up, delete all the files you originally downloaded.

How to Access the Internet Using the Tor Network
About Accessing the Tor Network To begin anonymously surfing the Internet, you must start the Tor Browser program. First, it will connect your system to the Tor network. After your computer has successfully established a connection to the Tor network, the Tor Browser will automatically launch a separate instance of the Firefox Portable included in the Tor Browser Bundle. Note: There is a trade-off between anonymity and speed. Because Tor facilitates anonymous browsing, it will definitely be slower than browsing using other web browser on your computer. Tor is bouncing your traffic through volunteers' computers in various parts of the world to protect your privacy and security. How to Connect to the Tor Network To connect to the Tor network, perform the following steps: Step 1. Navigate to the Tor Browser folder, and then double click activate the following screen: to

The Vidalia Control Panel connecting to the Tor network As the Vidalia Control Panel initiates a connection to the Tor network, an icon resembling a yellow onion appears in the System Tray as follows: . Once the connection between your computer and the Tor network has been successfully established, the icon turns green:

A few moments later, the Tor Browser will activate Mozilla Firefox browser displaying the following screen:

Mozilla Firefox displaying the Are you using Tor? tab

Every time you launch the Tor Browser program, it will automatically open the Vidalia Control Panel and the screens. The Torbutton add-on will appear in the bottom right corner of the screen as follows: Note: However, if you already had a Mozilla Firefox browser open when you launched the Tor Browser, the Torbutton will appear in disabled mode in this particular browser window as follows:

The Torbutton is used to configure Firefox to properly connect to the Tor network. Simply click the Torbutton to alternate between enabled and disabled states. However, if you are not connected to the Tor network, the Torbutton will be disabled, and the following screen will appear:

Mozilla Firefox displaying the Sorry. You are not using Tor tab If you see Figure above, a disabled Torbutton (despite your efforts to enable it), or the web page is empty.

How to Manually Verify Your Connection to Tor To manually verify whether or not you are connected to the Tor network, perform the following step: Step 1. Open the website. It will confirm whether or not you are connected to the Tor network. If your web browser is connected to the Internet through the Tor network, websites that may be blocked or restricted in your country will now be accessible, and your on-line activities will remain private and secure. You may also notice that some web pages, such as, will occasionally behave as if you are located in a different country. This is normal when using Tor. How to Browse the Internet using Tor Although you may begin browsing websites immediately using Firefox with the Tor network, we recommend that you read the following section about configuring Firefox to optimize your online privacy and security.

How to Change Configuration of Mozilla Firefox for Use with Tor The Torbutton is an add-on or extension for Mozilla Firefox, a small program designed to protect the anonymity and security of your on-line activities by blocking certain vulnerabilities in Mozilla Firefox. Important: Malicious websites or even a Tor server could still reveal information about your Internet location and your on-line activities, even while you are using Tor. Fortunately, the default configuration of the Torbutton is relatively safe; however, we recommend that you modify the following settings to optimize your on-line privacy and security. Note: Advanced users with a strong understanding of browser-related security issues may further refine these settings. The Torbutton Preferences window has three tabs that let you specify different options:
  

The Proxy Settings tab The Security Settings tab The Display Settings tab

The Torbutton Preferences window can be accessed regardless of whether Torbutton is disabled or enabled. To activate the Torbutton Preferences window, perform the following steps: Step 1. Right-click the Torbutton to activate its menu as follows:

The Torbutton menu Step 2. Select the Preferences... item to activate the following screen:

The Torbutton Preferences window showing the Proxy Settings tab

The Proxy Settings tab The Proxy Settings tab controls how Firefox accesses the Internet when the Torbutton is enabled. You should not need to change anything in this tab.

The Security Settings tab The Security Settings tab is designed for Experienced and Advanced users for users with in-depth knowledge of Internet security and web browsers. Its default settings offer a high level of privacy for the average user. This Security Settings lets you configure how Torbutton manages browser history, cache memory, cookies and other features in Firefox.

The Security Settings tab The Disable plugins during Tor usage option is among the few security settings that you may need to enable, but only temporarily. To display online video content through Tor - including

DailyMotion: , The Hub: and YouTube: - you must disable the Disable plugins during Tor usage option. Note: You should only enable the plugins of trusted websites, and you must return to the Security Settings tab and enable the Disable plugins during Tor usage option once again, after you have finished visiting these sites. For more information on the specific function of each option in the Security Settings tab, please refer to Torbutton:

The Display Settings tab The Display Settings tab lets you choose how to display the Torbutton in the Firefox status bar, as either your choice. or , or or . It will function as designed to, regardless of

The Display Settings tab

Tip: When you have finished browsing, be sure to delete your temporary Internet cache and cookies. This can be done in Firefox by selecting Tools > Clear Recent History..., checking all available options in the presented screen and clicking the Clear Now button.

How to Configure Internet Explorer for Use with Tor Note: Although Tor is designed to be used with any web browser, Firefox and Tor are the ideal combination for avoiding detection or discovery by hostile or malicious parties. Internet Explorer should ideally be a browser of last resort! However, if you are in a situation where using Internet Explorer is completely unavoidable, perform the following steps: Step 1. Open the Internet Explorer web browser. Step 2. Select Tools > Internet Options to activate the Internet Options screen. Step 3. Click the Connections tab to activate the screen shown in Figure below.

The Connections tab of the Internet Options screen

: The Local Area Network (LAN) Settings. Step 5. Check the Use a proxy server... option as shown in figure above, and then click to activate the Proxy Settings screen. Step 6. Complete the fields for the proxy settings as shown below:

An example of a completed Proxy Settings screen

Step 7. Click on each of the preceding configuration screens to exit the Internet Options window and return to the Internet Explorer browser. Note: You will need to repeat steps 1 through 4 to stop using Tor. In place of Step 5, you should disable the Use a proxy server... option. Tip: You must delete your temporary Internet cache, cookies and browser history after your browsing session by performing the following steps: Step 1. Select Tools > Internet Options to display the default General tab as follows:

The Internet Explorer General tab Step 2. Click in the Temporary Internet files section, to activate the Delete Cookies confirmation dialog box as follows:

The Delete Cookies confirmation dialog box

Step 3. Click Step 4. Click

to delete the temporary Internet cookies. to activate the Delete Files confirmation dialog box, and then click

to delete the temporary Internet files. Step 5. Click and then click to activate the Internet Options confirmation dialog box, click .

Note: To access the Tor network using Internet Explorer you must keep the Tor Browser running with Vidalia connected to the Tor network.

How to Use the Vidalia Control Panel
About the Vidalia Control Panel The Vidalia Control Panel - which you are now familiar with - is the main console for the Tor program. Vidalia Contol Panel lets you configure Tor important settings, view connection parameters. To open Vidalia Control Panel follow below instructions: If you are already running the Tor Browser double click Panel. to launch the Vidalia Control

Tip: If you right-click the green onion-shaped icon, the Vidalia Control Panel will appear in the format of a pop-up menu as follows:

The Vidalia Control Panel pop-up menu If you do not run Tor Browser navigate to the Tor Browser folder, and then double-click to activate the Vidalia Control Panel and automatically connect to the Tor network as follows:

The Vidalia Control Panel displaying a successful connection to the Tor Network

How to View the Tor Connection

Step 1. Click

to activate the following screen:

The Tor Network Map The Tor Network Map lists all the available Tor relay servers which comprise the Tor anonymity network currently in operation. The left sidebar lists these servers by their available bandwidth and geographical location.

Click to list these servers in ascending or descending order of available bandwidth, or the alphabetical order of the country of origin.

Beneath the map of the world are two panes, the Connections pane and the relay details pane. The Connections pane displays the names of randomly selected Tor servers through which your anonymous connection will be routed.

Choose a server from the Connections list to view your actual route through the Tor network, connected by the green lines on the map. The adjacent pane displays the connection details for a server listed in under the Relay list in the left sidebar; in Figure above, the connection details of a Canadian relay server settingOrange are displayed. Note: The Tor Network Map helps to demonstrate how Tor functions by presenting fairly abstract ideas and complex information in a visual manner. How to View and Configure Vidalia Control Panel Settings
Step 1. Click to activate the following screen:

The Settings screen in the Vidalia Control Panel

The General tab lets you specify whether Vidalia should be automatically launched whenever Windows starts up, and whether it should then launch the Tor program. If you prefer to manually launch the Vidalia program, simply click to disable the Start Vidalia when my system starts option. Note: Users of Beginner or Average skill are advised to accept the default settings as shown in Figure above. Step 2. Click to confirm your settings.

Although the default language for the Tor program is English, the Appearance tab lets you specify another language for the Vidalia Control Panel. It also lets you modify its appearance.

The Appearance screen in the Vidalia Panel How to Stop and Start the Tor Program

in the Vidalia Shortcuts panel to stop running the Tor program; the Step 1. Click Status section of the Vidalia Control Panel will appear as follows:

The Tor Status section - Tor is not running message

Step 2. Click to conversely start the Tor program; the Status section of the Vidalia Control Panel will, after a few seconds, appear as follows:

The Tor Status section - Connected to the Network! message

How to Troubleshoot Common Problems in Tor
About Troubleshooting Common Tor Problems There are a number of reasons why Tor may not function properly. A few of the more common issues are described here, along with suggested solutions. Note: A surprisingly large number of common errors can be resolved by simply restarting your computer, or by re-extracting the Tor Browser Bundle.

How to View the Message Log You may view the Tor log messages even while it is attempting to establish an initial connection to the Tor network. The log messages can help you determine if the software is working properly, and if not, the cause of the problem. Step 1. Click to activate the Message Log screen, and then click the Advanced tab to display a screen resembling the following:

The Vidalia Message Log This log shows that Tor has started. It will continue to display messages about how Tor is functioning. Do not be overly concerned about the experimental software warning; despite its message, Tor is the best and most thoroughly tested anonymity tool available.

Understanding Common Error Messages However, there are some important error messages that are critical if you are having trouble with Tor; a few are described below.

connection_create_listener(): Could not bind to Address already in use. Is Tor already running? This message indicates that another Tor program has already been started. The simplest solution in this instance would be to close all running Vidalia programs or restart the computer.

Vidalia was unable to start Tor. Check your settings to ensure the correct name and location of your Tor executable is specified This message indicates that the Vidalia program cannot locate the Tor executable file, tor.exe which appears as follows: . To resolve this problem, perform the following steps:

"Step 1. Restart your computer and try to run the Tor Browser again. If the error persists, perform Step 2: Step 2. Delete the current Tor Browser folder, and then download the latest version of the Tor Browser Bundle. Extract the Tor Browser Bundle, and then run it."

I have learned some directory information, but not enough to build a circuit This message may appear repeatedly while Tor is first starting up, and may continue to appear for quite some time if you have a very slow Internet connection. It simply means that Tor is still in the process of downloading necessary information about the Tor network to establish a Tor circuit or connection to your system. When Tor is ready, the message log will display the following message in Figure below:

Tor has successfully opened a circuit. Looks like client functionality is working.

A message confirming a successful connection highlighted in dark blue This message indicates that Tor has successfully established a path through its network and appears to be functioning correctly. Note: Even if you are using Mozilla Firefox, you must enable Torbutton before you can anonymously surf the Internet. If you are using a different browser, you must configure its proxy settings so that it connects to the Internet through Tor.

If the message log fails to produce new information after fifteen minutes or so, and even after displaying an Opening Control listener or a Tor has learned some directory information, but not enough to build a circuit message, then you might need to adjust the Tor network settings. It is possible that your current Internet connection requires you to use a particular web proxy or that it blocks certain ports. It is also possible that your government or ISP has begun blocking access to the Tor network.

How to Configure the Tor Network Settings If you find that Tor fails to connect when you first install or run it, or that it has stopped functioning properly, changing the network settings may fix the problem. The network connection settings are related to proxy server, ports or bridge relays.

Step 1. Click Step 2. Click

in the Vidalia Control Panel to stop Tor. to activate the Settings window.

Step 3. Click

to view the Settings window in Network mode as follows:

The Settings window in Network mode Step 4. Click to accept the settings and close the Settings window, then click in the Vidalia Control Panel to start Tor.

How to Use a Proxy Server with Tor If you are required to use a proxy server to access the Internet, then specify its details in this window. In general, proxy servers are more common on corporate and university networks, but proxy servers are occasionally required at Internet cafes or even nationwide in some countries. If the necessary proxy information is not clearly posted, you may have to ask a network administrator or someone using the same Internet connection. Step 1. Check the I use a proxy to access the Internet option. Step 2. Enter the proxy details into the fields provided:

The proxy settings section

How to Manage Port Restrictions Some network or computer settings may restrict access to certain ports. If you can browse websites normally, then you can rely on at least two ports (80 and 443) being accessible. You can configure Tor to work exclusively through these ports. Step 1. Check the My firewall only lets met connect to certain ports option. Step 2. The Allowed Ports field should already display '80,443', as shown in Figure below:

The Firewall Settings section specifying open ports on the network

How to Use a Bridge Relay
If you still are unable to connect to the Tor network, two options remain: Option 1: Refer to the Tor FAQ wiki for suggestions. Option 2: If you reside in one of the few countries which actively blocks Tor from accessing the Internet, you may need to use a bridge relay - or bridges for short - to establish a connection to the Tor anonymity network. A Tor bridge allows you to access the Tor network - even if it is blocked from within your country - by providing a hidden 'first step' into the network. To use this option, you must provide Tor with the address of at least one bridge. Ideally, you should enter three or more bridge addresses. If someone you know and trust is already using a bridge, you may ask them for this information. Alternatively, you may use one of two methods supported by the Tor Project Bridge Database. Method 1: Send an email to , from any Gmail account, with the words "get bridges" in the main text of your message. The database will reply with addresses for three bridges. (Remember, you should only ever log into your Gmail account using the address!)

Almost instantly, you will receive a reply that includes information about a few bridges:

Important Notes: 1. You must use a Gmail account to send the request. If accepted requests from other mail accounts, an attacker could easily create a lot of email addresses and quickly learn about all the bridges. If you do not have a Gmail account already, creating one takes only a few minutes. 2. If you are on a slow Internet connection you can use the URL for a direct access to the basic HTML version of Gmail.

Method 2: Close the Tor program and go to the Tor Project Bridge database website, and it will display information about three different bridges. Note: The Bridge Database is designed to prevent anyone from easily learning all of the bridge addresses; at first, it appears to advertise the same bridges each time you ask. After enough time has passed, however, it will eventually provide new addresses. Step 1. Check the My ISP blocks connections to the Tor network option. Step 2. Cut and paste or type a bridge address into the Add a Bridge field, as shown in Figure below. Bridge information will include an IP address and port number, such as, and may also include a long string of letters and numbers at the end, such as 80E03BA048BFFEB4144A4359F5DF7593A8BBD47B. Step 3. Click to add the address into the pane beneath the Add a Bridge text field.

Step 4. Repeat steps 2 and 3 for each additional bridge address; it is recommended that you enter a minimum of three; to enter more, you may have to wait a while for the bridge database to refresh itself.

Adding a Bridge Relay Address

Note: Add as many bridge addresses as you can. Additional bridges increase reliability. One bridge is enough to reach the Tor network, however if you have only one bridge and it gets blocked or stops operating, you will be cut off from the Tor network until you add new bridges. To add more bridges in your network settings, repeat the steps above with the information on the additional bridges that you got from the e-mail message.

Tor Relay to help other people
If you live in an area with little or no Internet censorship, you may want to run a Tor relay or a Tor bridge relay to help other Tor users access an uncensored Internet. The Tor network relies on volunteers to donate bandwidth. The more people run relays, the faster and more secure the Tor network will be. To help people using Tor bypass Internet censorship, set up a bridge relay rather than an ordinary relay. Bridge relays (or bridges for short) are Tor relays that are not listed in the main (and public) Tor directory. Even if an ISP is filtering connections to all the known Tor relays, it probably will not be able to block all the bridges.

Risks of operating a Tor node (Tor relay) A Tor node is a kind of public proxy, so running one can have the general risks of running a proxy mentioned in the "Risks of Operating a Proxy" chapter of this manual. However, a Tor node is typically set up in one of two ways: as an exit node or as a middleman node (sometimes called a non-exit node). A middleman node forwards encrypted traffic only to other Tor nodes,

and does not allow anonymous users to communicate directly with sites outside of the Tor network. Running either kind of node is helpful to the Tor network as a whole. Running an exit node is particularly helpful because exit nodes are comparatively scarce. Running a middleman node is comparatively less risky because the middleman node is unlikely to draw the kinds of complaints that a public proxy might, since the IP address of a middleman node will never appear on log files. Since a bridge is not an exit node, you are unlikely to receive complaints about the use of a bridge node by others. Even though it is unlikely to draw specific complaints, operating a middleman or bridge node may cause your ISP to object for more general reasons. For example, the ISP may disapprove of the Tor network or may forbid subscribers from operating any sort of public service. You can find more best practices on how to safety run a Tor exit node on

What do I need to run a relay or a bridge relay? There are only a few prerequisites for running a Tor relay:

 

Your Internet connection needs to have a bandwidth of at least 20 kilobytes/second in both directions (and it needs to be OK for your connection to be constantly in use when your computer is on). You need an Internet connection with an IP address that is publicly routable. If your computer is behind a network address translation (NAT) firewall and doesn't have access to its public (or external) IP address, you'll need to set up a port forwarding rule on your router. You can do this via the Tor Universal Plug and Play facility, or manually, by following the instructions in your router manual or at (

What is not required:
 

Your computer does not have to be always on and online (the Tor directory will figure out when it is). You do not need to have a static IP address.

Downloading Tor To download Tor, go to the Web site and click Download in the navigation menu.On the Available Tor Bundles page, select the stable version that fits your operating system.

Installing Tor on GNU/Linux You can find detailed instructions on how to set up a Tor relay or bridge on Installing Tor on Microsoft Windows Launch the installer and click Next when asked. If you are using Firefox, install all the components . If you do not have Firefox installed, deselect Torbutton (you will have the option to install Firefox and Torbutton afterwards).When the installation is completed, launch Tor by clicking Finish with the "Run installed components now" box selected.

Configuring Tor to be a bridge To activate your bridge: 1. Open the Vidalia control panel. 2. In the Vidalia control panel, click Settings:

3. In the Settings window, click Sharing:

4. To create the bridge, click "Help censored users reach the Tor network":

5. If you are using a NAT IP address on a local network, you will need to create a port forwarding rule in your router. You can ask Tor to try to configure port forwarding for you. To do so, click "Attempt to automatically configure port forwarding":

6. Click Test to see if Tor has correctly created a setting for port forwarding in the router:

If Tor could not configure port forwarding, please read the Tor FAQ entry on this topic: s Congratulations. If all has gone well, your bridge is up and running. Your bridge information will be added to the hidden bridge directory and made available to users who request it. Sharing your bridge with friends If you specifically established your bridge to help a friend access the Tor network, you can copy the information at the bottom of the Settings window and send it to her:

Anonymous blogging over the Tor network
Register your new anonymous blog a) Turn Tor on in your browser, or start Tor Browser Bundle. Visit and sign up for a new account by clicking the “Get a New WordPress Blog” link. Use the email address you just created and create a Username that will be part of your blog address:

b) Wordpress will send an activation link to your webmail account. Use your Tor-enabled browser to retrieve the mail and follow that activation link. This lets Wordpress know you’ve used a live email account and that they can reach you with updates to their service - as a result, they’ll make your blog publicly viewable and send you your password. You’ll need to check your webmail again to retrieve this password. c) Still using Tor, log into your new blog using your username and password. Click on “My Dashboard”, then on “Update your profile or change your password.” Change your password to a strong password that you can remember. Feel free to add information to your profile as well… just make sure none of that information is linked to you!

Post to your blog a) Write your blog post offline. Not only is this a good way to keep from losing a post if your browser crashes or your net connection goes down, it means you can compose your posts somewhere more private than a cybercafe. A simple editor, like Wordpad for Windows, is usually the best to use. Save your posts as text files (After blogging, always remember to remove these files from your machine completely, using a tool like Eraser or Ccleaner which is is available in many languages and wipes temporary files automatically from all installed browsers and other applications). b) Turn on Tor, or use Tor Browser from your USB key, and log onto Click the “write” button to write a new post. Cut and paste the post from your text file to the post window. Give the post a title and put it into whatever categories you want to use. c) Before you hit “Publish”, there’s one key step. Click on the blue bar on the right of the screen that says “Post Timestamp.” Click the checkbox that says “Edit Timestamp”. Choose a time a few minutes in the future - ideally, pick a random interval and use a different number each time. This will put a variable delay on the time your post will actually appear on the site - Wordpress won’t put the post up until it reaches the time you’ve specified.

Why should I do that? By editing the timestamp, we’re protecting against a technique someone might use to try to determine your identity. Imagine you’re writing a blog called “Down with Ethiopia Telecommunications Company!” Someone at ETC might start following that blog closely and wonder whether one of their customers was writing the blog. They start recording the times a post was made on downwith and check these timestamps against their logs. They discover that a few seconds before each post was made over the series of a month, one of their customers was accessing one or another Tor node. They conclude that their user is using Tor to post to the blog and turn this information over to the police. By changing the timestamp of the posts, we make this attack more difficult for the internet service provider. Now they’d need access to the logs of the Wordpress server as well, which are much harder to get than their own logs. It’s a very easy step to take that increases your security.

Clean your track a) Securely erase the rough drafts of the post you made from your laptop or home machine. If you used a USB key to bring the post to the cybercafe, you’ll need to erase that, too. It’s not sufficient to move the file to the trash and empty the trash - you need to use a secure erasing tool like Eraser or Ccleaner which overwrites the old file with data that makes it impossible to retrieve. On a Macintosh, this functionality is built it - bring a file to the trash and choose “Secure Empty Trash” from the Finder Menu. b) Clear your browser history, cookies and passwords from Firefox. Under the Tools menu, select “Clear Private Data”. Check all the checkboxes and hit “okay”. You might want to set up Firefox so that it automatically clears your data when you quit - you can do this under “Firefox > Preferences -> Privacy -> Settings”. Choose the checkbox that says “Clear private data when closing Firefox”. In case you cannot install programs on the computer, use the IE Privacy Cleaner tool from the USB stick to wipe temp browser data. Note: It’s very easy for someone to view the websites you’ve visited on a computer by reviewing your browser history. More sophisticated snoops can find out your browsing history by checking your cache files, which include stored versions of webpages. We want to clear all this data out from a public computer so that the next user doesn’t find it. And we want to eliminate it from our personal computer so that if that computer were lost, stolen or seized, we can’t be linked to the posts we’ve made.

It’s not enough just to protect yourself when writing to your own blog. If you’re going to post comments on other blogs using your “nom de blog”, you need to use Tor when posting those comments as well. Most blog software records the IP a comment came from - if you don’t use Tor, you invite whoever runs that site to track your IP address back to your computer. Tor’s like a condom - don’t practice unsafe blogging.

Just because you’re anonymous doesn’t mean you shouldn’t make your blog pretty. The “Presentation” tab in Wordpress has lots of options to play with - you can pick different templates, even upload photos to customize some of them. But be very, very careful in using your own photos - you give a lot of information about yourself in posting a photo (if the photo was taken in Zambia, for instance, it’s evidence that you are or were in Zambia.)

If you’re really worried about your security, you might want to go a step further in setting up your Firefox browser and turn off Java. There’s a nasty security bug in the most recent release of Java that allows a malicious script author to figure out what IP address your computer has been assigned EVEN IF YOU ARE USING TOR. We don’t worry too much about this because we don’t think that or Google are running these malicious scripts… but it’s something to seriously consider if you’re using Tor for other reasons. To turn off Java, go to “Firefox -> Preferences -> Content” and uncheck the box for Enable Java. If you’re the only person in your country using Tor, it becomes pretty obvious - the same user is the only one who accesses the IP addresses associated with Tor nodes. If you’re going to use Tor and you’re worried that an ISP might be investigating Tor use, you might want to encourage other friends to use Tor - this creates what cryptographers call “cover traffic”. You also might want to use Tor to read various websites, not just to post to your blog. In both cases, this means that Tor is being used for reasons other than just posting to your anonymous blog, which means that a user accessing Tor in an ISP’s server logs doesn’t Automatically make the ISP think something bad is taking place.

Mirroring your WordPress Blog
One way to increase access to blocked sites for Internet users in countries that filter online content is through mirroring: duplicating a site's content on another domain name or subdomain. Mirror sites automatically reflect any changes made to the original site, allowing blog authors to get around censorship by providing multiple locations where readers can access their content. Following instruction is for bloggers with self-hosted WordPress blogs. A self-hosted WordPress blog is one that is not hosted on the free blogging service, but rather on a separate server using the publishing platform. For more information, see

1- Duplicating your content without mirroring One simple way to help blocked users access your blog is to duplicate its content on other sites. Though the URL or IP address of your site may be blocked, services that republish your content may be available. Tools like Google Reader, FriendFeed, Google Buzz, Facebook and other RSS readers give visitors more ways to access your site by republishing your content in multiple locations. In order to use these services, you need to publish an RSS or Atom feed.WordPress automatically creates these feeds for your blog, but if you plan to use these tools to make blocked content accessible to readers, make sure to: • Include all of your content in your feed, not just basic titles, headlines and excerpts. In WordPress this is controlled by a setting in the Settings > Reading page. Where it says "For each article in a feed, show" ensure that "Full text" is selected. • Check that the media files used in your blog content are not blocked for your readers. If the images/videos/audio included or linked to from your posts are hosted on your domain, then readers may not be able to view them even if they can read your RSS feed. Instead of hosting your multimedia content on your blocked web site, try to utilize social media sites that are not blocked in your target country. Uploading your content to sites like YouTube, Flickr,, or and linking to it from your blog may help make it available to visitors who would otherwise only be able to see your text. Note: You should make sure that the services you choose are not banned in your target country. The OpenNet Initiative has a map showing which countries currently block Facebook, Flickr and YouTube.

2- Making your blog secure Before you start the process of mirroring your blog to evade censorship you should ensure that you are in fact being targeted by a government, rather than experiencing non-political security problems. WordPress, due to its popularity, is targeted by an army of creative and dedicated hacker-spammers who break into WordPress-powered sites so they can add spam links or use other illegal and abusive search engine optimization (SEO) tricks that exploit your site's popularity. One possible effect of these intrusions is that your site may be blocked by filtering software or even Google for including inappropriate content (put on your site by the hackers) or for serving malware/spyware to visitors, another common strategy for hackers who take overWordPress sites. Ensuring that your site is secure and firmly in your control is a good idea no matter what, but if you think you are blocked then the process of investigating security may turn up new clues that point to a more mundane problem. If you discover that your site has in fact been compromised and you are able to fix it, then you can get your site reinstated in Google or removed from commercial filters by requesting that your site be reviewed By the same token, if you are worried about governments hoping to censor you, then having a particularly secure site is a good idea either way, as it will protect your site and personal information from politically malicious hacking attempts. The WordPress Codex offers advice about what do to if you think your site has been hacked and how to harden WordPress to make it more secure. The fundamental goals are to ensure that no users exist on your site that you don't know about and that all the files on your server are the ones you expect. Hackers will upload new files and use them to rehack you if they are locked out. They will also inject content into your database and hide users where you can't find them. The easiest way to audit your site is to use some of the many security WordPress plugins that exist for the job: Here is a short list of some of the best ones (you don't need to install them all, but considering what they offer is useful): Some trusted security WordPress plugins WP Security Scan: Scans your WordPress installation for security vulnerabilitiesand suggests corrective actions. WordPress Firewall Plugin: Investigates web requests with simple WordPressspecificheuristics to identify and stop most obvious attacks. WordPress File Monitor: Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address. WordPress Database Backup: Creates backups of your database, including automatic regular ones. This is particularly important because if you are hacked you need a backed up database that you know has not had malicious content added into it. Secure WordPress: Helps to secure your WordPress installation: removes error information on login page; adds index.html to plugin directory; removes the wpversion, except in admin area.

Maximum Security for WordPress: Guards against intrusion; tracks a plethora of events; blocks malicious content that could harm your readers and your search engine ranking; and includes a strong Web application firewall along with a full blown intrusion prevention system. Login LockDown WordPress Security: Records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP address, then the login function is disabled for all requests from that range. ChapSecureLogin: You can use this plugin to process your password encryption. The encryption process is created by the Chap protocol; this is particularly useful when you can't use SSL or any other kinds of secure protocols. Theme Authenticity Checker: TAC searches the source files of every installed theme for signs of malicious code, if any bad code is found.

3-Determining if and how your site is blocked depend on Internet filtering techniques The most popular filtering techniques are DNS Filtering, Uniform Resource Locator (URL) Filtering, IP Filtering, Keyword Filtering. If you can identify what techniques are being being used to block your blog, you can determine the best way to make it available again for blocked users. A good place to start is to check the OpenNet Initiative's country profiles here: to see which filtering methods are used in the place where you suspect your blog is being blocked. Assessing whether your site is blocked is an important part of this process. It's possible that setup, security or even connectivity problems, rather than censorship, are causing some readers to find the site inaccessible. To fully determine the nature of any filtering or blocking of your site you will need to communicate with affected individuals and ask them to help you test the situation. Making connections with a group of testers is likely to prove valuable. If you want to crowd-source the testing of whether your site is blocked in different locations you may want to check out Herdict: , a site that lets people state theirlocation and whether they can access your site, creating a map of where you are likelyblocked. Censorware Some countries use filtering software (censorware), such as WebSense or SmartFilter, that block access to sites based on their categorization as "harmful," "gambling," "spam," etc. If you think your site might have been blocked due to being flagged as harmful or spam, you can use Google's Safe Browsing diagnostic tool (visit[your URL, such as McAfee's SiteAdvisor: to check its status. Such blocking can result from an insecure site that has become a source of malware due to being hacked. If you have fixed the security problem or your blog has been flagged in error, you can contact:Google to request reconsideration of your site here:

IP Blocking The first step to determining if your IP address is being blocked is to figure out what your IP address is. You can use the IP Lookup: Domain: tool to find out which IP address corresponds with your blog's domain name. The next step is to check to see if this IPaddress is blocked. It's possible that your site's IP address is blocked not because of your content, but because another site with the same IP on the same shared host was blocked. To see what sites share a particular IP address, you can perform a reverse IP lookup: . If you suspect your site is being blocked accidentally because of its shared IP you can contact your hosting service and ask them to change the IP of your site somehow (e.g. by migrating it to another server or cluster). You may need to purchase a dedicated IP address to have it changed, which can be costly. Another solution to IP filtering, although inconvenient, would be to move yoursite to a new host entirely, which would give you a new IP address.

Keyword Filtering If your blog is a victim of keyword filtering, you will need to purchase another domain name. You should also avoid using that keyword in your blog title, the titles of your blog posts and pages, your tags and your categories, your images and media files. As explained above, keyword filtering targets a specific word and the ultimate solution is to avoid using this world in all your URL paths. Keyword filtering is particularly difficult to address, since you will need to change all the URLs within your site to avoid using the blocked word. In the process you will lose incoming links, pingbacks and links coming from popular search engines and aggregators. You may want to try using the Permalink Migration WordPress plugin: , which will help you change your URLs without affecting your search engine rankings or breaking pre-existing links to your web site.

4-Mirroring your WordPress blog Mirroring is the process of making two or more domain names or subdomains contains the same up-to-date data. In this guide we will address two-way mirroring of a self-hosted WordPress blog. In two-way mirroring data is updated in both directions, keeping the two or more blogs in sync with each other by using the same WordPress installation and database. When you add, change, or delete any kind of content (posts, pages, comments, images, etc.) from the "source" blog at its regular domain or from the "target" blog or blogs at the mirrored domain(s), the same content will be added, changed, or deleted on the other blogs.Unfortunately mirroring your blog is not a definitive or permanent solution to censorship.In most cases it is only a matter of time before the original censors find out your new mirror and block it as well. If they are closely monitoring your online activities, it will be very easy for them to block all your mirror blogs. Remember that censorship is a cat-andmouse game and that the mirroring technique explained here may not be the ideal solution for you. It will only help you exploit the breach in the censorship wall by making yourcontent available for a certain period of time, which might be

shorter or longer depending on the censors' vigilance. However, and the mirroring plugins allow you to create and manage as many blog mirrors as you want. This will make it easier for you to stay one step ahead of censorship by being prepared to mirror your content as many times as necessary. Even if your blog is not currently being censored, mirroring can be used as a fallbackmechanism for an eventual block. You will need to follow a few steps to mirror your blog a. Obtain and configure a new domain or subdomain To mirror your blog at an alternate URL the first thing you need is the alternate URL. This can be either a subdomain of your existing site (i.e. or an entirely new domain ( The choice of which is better for you is a complex one and depends on the exact nature of the blocking/filtering that is making your site inaccessible. Remember that if you are being blocked at the IP address level, a mirror site hosted on the same server, regardless of its domain, will also be blocked. See the section on IP address filtering above for advice on andling that situation. Using subdomains (i.e. Sometimes a subdomain of your normal site URL will pass through filters that block your normal site, likely because the filter is only targeting your exact URL ( rather than "" or "yourblog"). If this is the case, then mirroring using a subdomain it is the ideal choice. It will be familiar to existing readers, involves fewer configurations, and in most cases will not incur extra charges with your registrar or host. Most web hosts allow you to add and configure subdomains from your account's control panel. Read the help documentation for your hosting company or ask them for help if you aren't sure how to do this.Testing whether a subdomain will make your site accessible to blocked users is fairly easy: • Register a test subdomain with your host and point it at an empty server directory. • Upload a simple index.html page with a test message in it. • Ask a user that you know is blocked from your main site to visit it. If the test page is not blocked for the someone who cannot otherwise access your blog, then a subdomain will probably work as a mirror location. Otherwise a new domain name may be needed.

Registering a new domain name A completely new domain is needed if the filtering is done by nuanced domains or via keywords. In such cases subdomains will be blocked along with the main site, and even new domains containing the blocked keywords may be inaccessible. Careful consideration should be given to your choice of a new domain: • It costs money to register new domain names. • If you are being keyword blocked, you need a domain that does not contain the blocked keyword.

• Ideally this domain should still be memorable and meaningful to your existing and new readers. dedicated registrar like GoDaddy: If your host offers domain registration, then using their service can be beneficial because it simplifies the process of configuring the domain as they will handle DNS settings for you. Once a new domain is registered it can take anywhere from 12 to 72 hours to become active because the DNS settings propagate slowly throughout the internet. While waiting you should prepare for the rest of the tasks below. Once you are able to point your browser to the domain you have created and see the landing page provided by your hosting service, then you are ready to continue.

DNS configuration The next step is to log in to your web host panel interface (the following examples use DreamHost hosting service) and select Domains > Manage Domains. Your first domain (the one that is blocked) needs to be Fully Hosted. For the domain or subdomain that you want to set as the mirror, click the edit button. In the edit screen you will see several options. For example, DreamHost offers five options: 1. Fully Hosted; 2. Redirected; 3. Mirrored; 4. Parked; 5. Cloaked. Select the Mirrored option, and set the domain to mirror ( to use your Fully Hosted domain (

Note: Many hosts charge exorbitant rates for registering new domains compared with dedicated registrars like GoDaddy(a .com/.net/.org domain should be about 10$ US), so the extra work of pointing a new domain at your host with DNS can be worth it in the long run. You should compare your host's prices with competitors before deciding.

Editing the virtual host If you are using a web hosting service other than DreamHost, request help from your hosting company on how to configure virtual hosts and alter DNS settings. Normally you will only need to point your new domain or subdomain (example: to the root directory of your primary blog (example: /

b. Choosing, downloading & installing a mirroring plugin Choosing a plugin Several WordPress plugins exist to help you to with the mirroring process. We recommend using one of the following: • Domain Mirror Plugin by David McAleavy: • Domain Theme by Stephen Carroll: Both plugins allow a single WordPress installation to display different URL paths, blog titles and different domains. They also allow you to associate different themes with different domains, meaning that you can use a dynamic Web 2.0-style theme for your main blog and a minimalist theme for the mirror blog that speeds up load times and minimizes bandwidth use. Minimalist WordPress themes: =g1 are recommended for blocked blogs. Fast page load times are crucial for visitors accessing blocked blogs via proxies as well as for visitors living in places with poor connectivity.

Downloading and installing the plugin Download the Domain Mirror plugin: , unzip it and upload it to the wp-content/plugins/ folder using FTP. You can also install the plugin directly from the WordPress dashboard by going to Plugins > Add New and searching for the plugin name. After finding the plugin you want, click the “Install” link to the right of the search result:

Note:if you choose to install the Domain Mirror plugin from the Wordpress admin interface, you will need to rename the downloaded “domainmirror” directory to “AA-DomainMirror" in order to force this plugin to load first, which will prevent compatibility problems with other plugins. To do this you will need FTP access to the plugin directory.

c. Configuring the Domain Mirror Plugin In your WordPress dashboard, go to your Plugins page and activate the plugin you installed. Then go to Dashboard > Settings > Domain Mirror and fill in the appropriate information for your domain names. The Domain #1 section should contain the basic information of your primary blog. Click the "Get Current Domain" button to get the values from the database as saved in your WordPress General Settings. The Domain #2 section should contain the details for the mirror domain. After adding this information click "Save Changes." You can add as many mirror domains as you like by clicking the "Add New Domain" button.

If you have followed the steps above, you now have two copies of your blog. When you visit your primary domain, your blog remains unchanged. When you visit your new mirror site, the blog appears as if configured for that domain. You can see a live example of the Tunisian collective blog using this technique: the primary blog is at : and the mirror blog is at . You will notice that the primary blog (on the right) has a complex theme, while the mirror blog (on the left) uses a minimalist theme to ensure a fast page load times.

d. Hiding your mirror blog from Google Censors, like regular Internet users, often use Google and other search engines to find online content. If your mirror site is being indexed by Google, censorsmay be able to find it and block it quickly. You can help prevent this by preventing Google and other search crawlers from indexing your mirror blogs. This may also make it more difficult for new readers to find your blog. For this reason, we recommend spreading the news about your mirror blog using Twitter, an e-mail list, Facebook, Google Buzz and other social media tools. You can prevent Google from indexing your mirror blog by creating or editing a Robots Exclusion Protocol (also known as robot.txt). This file tells search engines where and where not to look for content on your server and will prevent your mirror domain from being indexed, reducing the risk of censors finding your mirror blog. If a robot.txt file does not exist in the folder that contains the content for your mirror site, you will need to create one. You can use any text editing software (Notepad or Wordpad for Windows, TextEdit for Mac OS, Vi or Emacs for Linux) to do this. Once you have created the file (or after you have opened the existing file), add the following text: # Disallow Googlebot User-agent: Googlebot Disallow: / User-agent: * Disallow: /

Save the file as robot.txt and upload it to your mirror folder. Be careful not to put the file in the folder that contains your main blog, or you will prevent search engines from indexing your site entirely.

Telling your readers about the mirrored site After setting up the domain mirror for your blog, your next step is to help readers discover the new link. There are many ways to do this: • Add a notice to the header of your RSS feed informing your RSS subscribers about the new mirror. Style the notice with CSS so it will be visible. You can use the RSS plugin: to add and style the notice. • If you have an email list, notify your subscribers about the new link. • If you use TwitterFeed : to automatically publish your blog updates to Twitter, make sure to change the link of your blog RSS feed to the RSS feed for the mirror site. This will make sure that all the links published on Twitter will point to the mirror blog and not to the primary blog. • If you have a Facebook account, you can easily import your mirrored blog. You can use the WPBOOK plugin: which will add your WordPress blog as a Facebook application. Make sure to use the URL of the mirror blog.

Cross posting feeds for Effective Social Media Integration There are multiple benefits to this approach. The first is that you drive more visitors, and thus eventual supporters, to your own blog campaign. Also, it has the effect of lengthening the lifetime of your blog and website entries by generating a cycle of sharing and promotion that can be easily picked up by search engines like Google. You should have basic familiarity with an overwhelming number of software and web applications such as macro and micro blogging services, social bookmarking and social networking websites. You will need an account on each of these web services in order for them to interact with each other so your updates and links appear instantly and automatically as soon as they are posted. Furthermore, as illustrated in the image below, not only can you add your website and blog feed to your Facebook Notes but other kinds of feeds too, such as links to your Youtube videos, your Flickr images, your slides and podcasts. For this example, I’m supposing you already have a Twitter and a Facebook accounts (otherwise, proceed bycreating them). What we are going to do first is to sign up for a Twitterfeed account and set up a new feed that will automatically relay any post that you publish on your blog or website to Twitter. To make it work, you will need an OpenID user account to actually sign up for the service (create one now: , if you don't have one).

Twitterfeed posts as much of the title and the description that fits into Twitter’s 140 character limit, together with a shortened link to your original post. It supports TinyURL: and other alternative URL shortening services that take a long link and turn it into a short and clickable one. You also have option to add a prefix to your 'tweets', which is very helpful if you're planning to import more than one RSS feed into your Twitterfeed account. [Example of prefixes are: “New on my blog:”, “My last video on Youtube:”, “My last Flick image ”, etc.].

How to feed your blog or website to twitter Once you have logged into Twitterfeed, click on “Create new Twitter feed” button On the next page enter your Twitter login details (username and password), then the RSS feed URL of your blog or website. Make sure to tick the “include item link” and the “Active” boxes.

Once set up, you can always manage your feed, set it inactive, or even delete it.

Update your facebook staus via twitter Now that your new blog posts are being displayed on Twitter, the next step is to activate the Twitter Facebook application: that pipes your 'tweets' into your Facebook. Once you have added the Twitter application, enable the option that allows Twitter to automatically update your online status reporting on your Facebook profile. And in case you are using MySpace: , Twitter Sync: allows you to sync your mood status with Twitter. 

Feedblitz, automating email and IM delivery While Twitter updates your Facebook Status, FeedBlitz (a web 2.0 Feedburner partner service, that helps you optimize the distribution of your content) takes it a step further by automating email and instant messaging (IM) delivery, sending your action alerts and latest updates automatically to Twitter, Skype, AOL Instant Messenger, MSN Messenger and Yahoo! Messenger. Even if the RSS feeds are very popular, many people still prefer email newsletters. The use of web 2.0 services, such as Feedburner or FeedBlitz, that automate email newsletter publication, delivery and subscription processes, help you to reach your subscribers with great ease.

Most of the arguments made against the crossposting: technique are correct. Turning the linking aspect of Twitter, Plurk”” and other micro-blogging services into a form of publishing platform for your campaign might be conceived, by your friends, followers and subscribers, as spam and redundant. They can get annoyed to come across the same updates or posts on your blog, Twitter, Facebook, RSS readers, etc. However, appropriate and intelligent use of the technique will deliver significant results through the process of Internet sharing. Exploring innovative and appropriate ways of using this tactic can help improve your overall effective strategy to keep in touch with your audience while reducing the redundancy. And keep in mind that like all other tactics, this one can either add value to your e-campaign or decrease it, depending on how well you use it.

An example: Some digital activists: from countries with widespread Internet censorship use this tactic to automatically keep their audience updated about new "mirrors" to their blocked/censored website and blogs. So, instead of spending time sending emails and filling their subscribers' mailboxes with email updates, applications like Facebook, Twitter are doing the job of displaying the new URLs to their website, bypassing censors and getting the message out.

Geo bombing Geo-bombing is one of the techniques that can be employed to enable more effective dissemination of your YouTube videos campaign through Google mapping applications like Google Maps and Google Earth. Now you can watch your geo-tagged videos inside Google Earth and Google Maps. Any geo-tagged YouTube video will show up when the Youtube layer of Google Earth/Maps is turned on. Geo-tagging your videos You can add geographical location to any of your new and old Youtube videos Edit your video Click on the "date and map" option; Add a latitude and longitude or enter a city, town, or place name You can use the search box or drag the marker to choose a specific location

Once the location has been recorded and the video uploaded it will appear on Google Earth.

How to display geo-tagged Youtube videos on Google Earth? To activate the Google YouTube layer, you have to navigate to the “Layers” menu on the lefthand side of Google Earth. Expanding the “Gallery” node in the layers tree will expose the “Youtube” layer. Once you check the box next to Youtube Layer all the Google YouTube icons appear all over the globe.

Other links: NearlyFreeSpeech.NET is almost free to host your website. Look

Advantages and Risks of using Tor
Tor can be a very effective tool for circumvention and protecting your identity. Tor's encryption hides the contents of your communications from your local network operator, and conceals whom you are communicating with or what Web sites you're viewing. When used properly, it provides significantly stronger anonymity protection than a single proxy. But:

Tor is vulnerable to blocking. Most Tor nodes are listed in a public directory, so it is easy for network operators to access the list and add the IP addresses of nodes to a filter. (One way of attempting to get around this kind of blocking is to use one of several Tor bridges, which are Tor entry nodes not publicly listed, specifically to avoid blocking.) Some programs you might use with Tor have problems that can compromise anonymity. The Tor Browser Bundle comes with a version of Firefox with Torbutton installed. Torbutton disables some plugins and changes your browser fingerprint so it looks like any other Torbutton user. Tor will not protect you if you do not configure your appplications to run through Tor. Some plugins and scripts ignore local proxy settings and can reveal your IP address. If you're not using additional encryption to protect your communications, your data will be unencrypted once it reaches the last Tor node in the chain (called an exit node). This means that your data will be potentially visible to the owner of the last Tor node and to the ISP between that node and your destination Web site.

The developers of Tor have thought a lot about these and other risks and offer three warnings: 1. Tor does not protect you if you do not use it correctly. Read the list of warnings here: and then make sure to follow the instructions for your platform carefully: 2. Even if you configure and use Tor correctly, there are still potential attacks that could compromise Tor's ability to protect you: againstonionrouting 3. No anonymity system is perfect these days, and Tor is no exception: you should not rely solely on the current Tor network if you really need strong anonymity.

There are two other projects that bundle Tor and a browser:
  

XeroBank, a bundle of Tor with Firefox ( OperaTor, a bundle of Tor with Opera ( Torpark (portable web browser):

Usefull links
Home Page: Download: Forum (Planet Peer):,9.0.html Basic Tor Overview: Tor Documentation Tor Design Document: Windows Setup Instructions Tor Network Statistics: Tor Nodelist Sorted by Bandwidth: Onion Routing: TheOnionRouter/TorFAQ: Onion Routing for Anonymous Communications: BitTorrent Trackers Over Tor: Vidalia (a cross-platform controller GUI for Tor): TorK (a Tor controller for KDE): TorButton (Tor on/off button for Firefox): , Wikipedia: Tor: Tor is only "close" to being totally anonymous while using a web browser with scripting turned off. The only -real- anonymous way to use the internet is through an unregistered modem.

Vidalia is a Tor client that bundles Tor and Polipo, and routes data across the Tor network. They offer quite a few bundles for users to get started relatively quickly. If you do not opt for the Tor browser, you must configure your machine's local proxy port to use Vidalia's default port of 8118 in order to use the program. There aren't that many features. It's a basic Tor program which strives to keep things as 'simple' as possible as Tor itself is very complicated. The program allows users to become Tor Relays to help censored users connect to the network. There is a neat feature which shows a map of Earth with lines representing connections to the Tor server participants and very nice bandwidth graphs. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: and some may not. Server Location(s): Operating System(s):

Generally slow Medium-Low Unlimited Unknown. It varies from peer to peer. Some may log you

   


WOT Rating: Excellent. There is a portable version available.  24 - 32MB RAM usage when running with an additional 4MB used for Polipo and another 16.5 MB for the Tor engine. It runs as a stand-alone program on a user's computer Pros: Easy to install and use, lightweight client, reasonable data transfer speeds and lots of online support. Disadvantage: Potentially not as secure as other services. Developer's website: Download page: Download file size: 8.8 MB 64 Bit compatibility: 32 bit but 64 bit compatible License type: Open source freeware Portable version available: This product is portable System requirements: 95 - 7, Macintosh, Linux/Unix

xB Browser
The xB Browser (or XeroBank Browser, previously known as TorPark) is a Firefox and Tor bundle. It's unique compared to the other Tor programs on offer as it's an 'all-in-one' solution. You can start surfing anonymously straight out-of-the-box. Firefox users will feel comfortable using the XeroBank Browser as it is based on Firefox. Speeds vary as they do with all Tor connections but you'll find they are generally quite slow. xB Browser will also encrypt your browsing activities to prevent local network snoops, including work, administrators, and even your ISP from being able to track where you go and what you do online. xB Mail is included for XeroBank users, and is used to access our encrypted email service. xB VPN is used to create an anonymous VPN connection to the XeroBank anonymity network. It is designed for OpenVPN connections and can be run on Windows 2k, NT, XP, Vista, and Vista x64.You can speed things up by disabling images (add-on download required). Here are some technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance:

Slow Medium-Low Unlimited

Logging Level: Unknown. It varies from peer to peer. Some may log you and some may not. Review this page: for more info about entry and exit nodes. Server Location(s): Worldwide

 

WOT Rating: Excellent. It runs as a stand-alone program on a user's computer Advantage: Zero-configuration, based on Firefox, lots of support. Disadvantage: May not be as secure as other solutions, speeds fluctuate but is generally slow, multi-browser setup can be confusing. Developer's website: Download page: Version: Download file size: 10.4 MB 64 Bit compatibility: 32 bit but 64 bit compatible License type: Unrestricted freeware Portable version available: This product is portable System requirements: 95 - 7

AdvTor is a powerful alternative to the Vidalia bundle and as the name suggests, it is built with the advanced Tor user in mind. You can customise pretty much any aspect of your Tor connection from bandwidth throttling to manual entry/exit node selection. One of the nicest features it has is the ability to force a program to use your Tor connection! Although that particular feature is in a Beta stage, I've managed to get various programs to work with it which is very promising. Try it yourself; force a program, such as an instant messaging client, to use Tor without changing its internal proxy settings. This is great for applications that simply refuse to use your Tor connection. Advanced Onion Router is a portable client for the OR network and is intended to be an improved alternative for Tor+Vidalia+Privoxy bundle for Windows users. Some of the improvements include UNICODE paths, support for HTTP and HTTPS proxy protocols on the same Socks4/Socks5 port with HTTP header filtering that generates fake identity-dependent headers every time the identity is changed (proxy chains are also supported), support for NTLM proxies, a User Interface that makes Tor's options and actions more accessible, local banlist for forbidden addresses, private identity isolation, a point-and-click process interceptor that can redirect connections from programs that don't support proxies, also giving them fake information about the local system and support for .onion addresses. Also, it can estimate AS paths for all circuits and prevent AS path intersections, it can restrict circuits to be built using only nodes from different countries, can change circuit lengths and more. It's important to note that Tor does not support the UDP protocol, so programs that use this protocol will send and receive UDP packets unencrypted over your network connection and untouched by Tor. As far as I know, there is no way to route UDP packets over the Tor network and there are no plans to implement such a feature. The GUI isn't particularly attractive or user-friendly, but for all it lacks in looks, it makes up for in features. A must have for advanced Tor users. Here are some of my personal ratings and a few technical points regarding the program:
   

Speed Rating: Anonymity Rating: Usage Allowance:

Slow (high with custom configuration) Medium-High Unlimited

Logging Level: Unknown. It varies from peer to peer. Some may log you and some may not. Review this page: for more info about entry and exit nodes. (Minimal with custom configuration) Server Location(s): Worldwide

    

WOT Rating: Excellent. 8MB of RAM usage when running. There is no installer file. The program is provided in a Zip archive. Since there is no installer, the program is fully portable.

It runs as a stand-alone program on a user's computer Advantage: Feature rich, highly customizable, can force programs to use Tor. Disadvantage: It is for advanced users, may not be as secure as other solutions, speeds fluctuate but are generally slow. Developer's website: Download page: Version: Download file size: 4.1 MB License type: Unrestricted freeware Portable version available: This product is portable System requirements: 95 - 7 Features
      

        

    

Portable: writes settings to application folder, does not write to the system registry Read-only mode, when running from read-only media - no files are written All configuration files can be encrypted with AES All-In-One application - it can replace Tor, Vidalia, Privoxy/Polipo, cntlm, and more Supported proxy protocols: Socks5, Socks4, HTTP, HTTPS (all on the same port, autodetected) Support for corporate (NTLM) proxies Point and click process interceptor that can redirect all connections of a program, disallow non-supported protocols and restrict some information about the local system (fake system time, fake local hostname, etc.) Banlist for addresses and routers HTTP header filtering that generates fake identity-dependent headers every time the identity is changed Circuit builder that allows building circuits by specifying a node list and that can estimate good circuits Nodes can be banned / added to favorites from any existing circuit or from router selection dialogs Circuit priorities can be changed from the "OR network" page AS path estimations for all circuits with the option to build only circuits that don't have AS path intersections Avoid using in same circuit nodes from the same countries Circuit length is optional and can be changed to have between 1 and 10 routers Better isolation between private identities (delete cookies from 5 supported browsers, expire an internal cookie cache, delete Flash/Silverlight cookies, generate new fake browser identity information, and more) A list of favorite processes that can be started and intercepted at startup All child processes created by a process that is intercepted are also intercepted Plugin support Hot keys Multi-language support

Obfsproxy Tor Browser Bundle Extreme Anonymity

Obfsproxy is a tool that attempts to circumvent censorship, by transforming the Tor traffic between the client and the bridge. Even though obfsproxy is a separate application, completely independent from tor, it speaks to tor using an internal protocol: to minimize necessary end-user configuration. This way, censors, who usually monitor traffic between the client and the bridge, will see innocent-looking unencrypted transformed traffic instead of the actual Tor traffic. Thus evading censors. Tor executive director Andrew Lewman likened obfsproxy to "making your Ferrari look like a Toyota by putting an actual Toyota shell over the Ferrari." Lewman also stated that obfsproxy should be able to emulate innocent looking Internet protocols to the point where even the most sophisticated system cannot find anything suspicious. It is effective tool when countries use Deep Packet Inspection to block certain keywords and encrypted packets. Obfsproxy supports multiple protocols, called pluggable transports, which specify how the traffic is transformed. For example, there might be a HTTP transport which transforms Tor traffic to look like regular HTTP traffic. But at the moment because of an extra layer of regular HTTP and a little list of relays causes to decrease its speed in comparison with usual tor. Download Obfsproxy Tor Browser Bundle: Installation Instructions To set up an obfsproxy bridge, or to build it from source, see the separate Obfsproxy Installation Instructions page:

Windows Obfsproxy Tor Browser Bundle: signature: torrent: torrent mirror 1 : sig: torrent: mirror 2: sig: torrent: OSX (10.6 & 10.7) Obfsproxy Tor Browser Bundle: signature: torrent: mirror 1: sig: torrent: mirror 2: sig: torrent: Linux 32-bit Obfsproxy Tor Browser Bundle:

signature: torrent: mirror 1: sig: torrent: mirror 2: sig: torrent: Linux 64-bit Obfsproxy Tor Browser Bundle: signature: torrent: mirror 1: sig: torrent: mirror 2: sig: torrent:

JonDo started as a German university project called Java Anon Proxy (JAP) and has become a robust anonymity tool that, like Tor, sends traffic through several independent servers. Unlike Tor, however, the JonDo network mixes servers run by volunteers with others maintained by a parent company. The arrangement gives users a choice of speeds: 30-50 kBit/s (about the speed of an analog modem connection) for free, >600 kBit/s for a fee. For a more detailed comparison and price list, see:

General Information Supported operating system Localization Web site English, German, Czech, Dutch, French and Russian Forum: Wiki: Contact form:


JonDo (previously known as JAP) is a VPN client written in Java that routes data across the JonDo network. Unfortunately, being Java based means that the application is somewhat bloated. However, JonDo does has an attractive and user-friendly GUI to make up for this large amount of memory consumption, which displays lots of visual information about your connection to the JonDo network. Being Java-based means that it is truly cross-platform. The free service offers 30-50 kBit/s speeds and unlimited bandwidth. The commercial option offers a lot more features such as higher speeds, access to all ports and SOCKS5 support. The JonDonym group provide a free browser profile for Firefox called JonDoFox. It's preconfigured to be highly anonymous out of the box and features lots of useful add-ons, such as No-Script, CS Lite and AdBlock Plus. It's completely free and I highly recommend it to anybody that is serious about anonymity. Unfortunately, JonDo do have maximum user limits for all of their free servers, which means they are generally overloaded at peak times. You may not be able to connect instantly.

   

Speed Rating: Anonymity Rating: Usage Allowance: Logging Level: purposes. Server Location(s): Operating System(s):

Slow. 30kbps-50kbps (Dial-up speeds). High Unlimited Minimal. They log bandwidth usage for accounting

  


WOT Rating: Excellent (WOT is explained much further down).  76MB of RAM usage when running.  There is a portable version available. It runs as a stand-alone program on a user's computer Advantage: Friendly interface, platform independent, very secure. Disadvantage: Slow data transfer speeds, limited availability during periods of high demand and the client itself is a bit of a memory hog. Developer's website: Download page: Download file size: 50 MB 64 Bit compatibility: 32 bit but 64 bit compatible License type: Unrestricted freeware Portable version available: This product is portable System requirements: 95 - 7, Macintosh, OS/2, Linux/Unix Additional information: Java is required:

Installation To use the JonDo network, called JonDonym, you'll need to download the JonDo client for your operating system from Versions are available for Linux (about 9 MB), Mac OS X (about 17 MB) and Windows (about 35 MB). Once you have download the client, install it as you would any software for your platform. You may be asked if you wish to install it on your PC or if you wish to create a portable version. For our example, we will assume you are installing JonDo on a PC. Windows users also may be invited to install the JonDoFox web browser, discussed below.

Configuration and Usage When you first start JonDo, you can choose the language you want displayed.

Next, you can choose the level of detail you wish to see when using the service. Inexperienced users should choose "Simplified view".

On the next screen, the Installation assistant asks you to choose the Web browser that you want to use the JonDo proxy tool. Click on the name of your browser, and follow the instructions.

Once that is completed, JonDo asks you to test your configuration. In the control panel, switch anonymity to Off and then try opening a Web site with the browser you have just configured.

If JonDo shows you a warning and you have to choose "Yes" to view the Web site, everything is configured properly and you can select "The warning is shown. Websurfing is possible after confirmation". If any other description applies to you, choose it and the Installation assistant will give you more information on how to solve the problem.

Now take the second step to insure a proper configuration: Switch anonymity to "On" in the control panel and open a random Web site with the browser you have configured.

If the Web site loads, everything is fine and you can click "Connection established, websurfing is fine". If another description applies to you choose that one and the Installation assistant will help you solve the problem.

We're almost done. You have successfully configured your browser to connect through the JonDo network. Now, you should also configure your browser so that it doesn't accidentally leak any information. Click on the name of your browser to start the process.

If the standard JonDo servers are already blocked in your country, you should try the anticensorship option. Click "Config" in the control panel and select the Network tab. Click on "Connect to other JAP/JonDo users in order to reach the anonymization service". Read the warning and confirm by clicking "Yes".

To make sure you configured your browser correctly, you can point it to which will tell you if there is any problem.

JonDoFox For additional security, the JonDoNym team offers a modified Firefox Web browser called JonDoFox. Similar to the Tor browser bundle, it prevents leaking additional information while using the anonymization tool. You can download the tool at

Note: it is recommended to use tor browser bundle most of the time. Beause it is more comfortable for many users have problem with using JONDO

Test Your Anonymity
JonDonym's Anontest: is a free comprehensive anonymity test. It displays all the information that sites can obtain from you simply by visiting them. Lots of sites gather information about you when you visit which is used to enhance your site experience; however, lots of the information you give out to them is not needed. Enter; Anontest. It clearly identifies areas of your configuration that are not as secure as they should be and gives suggestions as to how to fix them. Areas are colour coded with easy traffic light colours; red being highly insecure/bad and green being secure/good. They also have a number of other neat features for the 'techies': IP Whois  Show IP location on a map  Traceroute Curious to know what websites can gather from you just by visting them? Take the Anontest and see for yourself! It's one of the most essential tools I use to test anonymity.

NB: This test may falsely identify your IP and User-Agent as 'insecure', but this may not necessarily be the correct conclusion. The reason it does this is because the test was designed for JonDo+JonDoFox.

Test Your Speed is a free service that allows users to test their Internet connection speed based on their location. You can use this to test the speed of your connection when using the products listed above to help you decide which is the fastest solution for you. Be sure to select the nearest server to your location for accurate results. You should be aware that there is generally a trade off between speed and anonymity, especially with free products.

HTTP Proxies
Software called an application proxy enables one computer on the Internet to process requests from another computer. The most common kinds of application proxies are HTTP proxies, which handle requests for Web sites, and SOCKS proxies, which handle connection requests from a wide variety of applications. In this chapter we will look at HTTP proxies and how they work.

Good proxies and bad proxies Application proxies can be used by network operators to censor the Internet or to monitor and control what users do. However, application proxies are also a tool for users to get around censorship and other network restrictions.

Proxies that restrict access and transparent proxy A network operator may force users to access the Internet (or at least Web pages) only through a certain proxy. The network operator can program this proxy to keep records of what users access and also to deny access to certain sites or services (IP blocking or port blocking). In this case, the network operator may use a firewall to block connections that do not go through the restrictive proxy. This configuration is sometimes called a forced proxy, because users are required to use it.In figure below, In following image,The first configuration is a likely layout for a large company in order to perform web filtering, caching, and employee monitoring. The second configuration is how an ISP may implement a transparent proxy for web acceleration purposes. The third configuration is utilized by some parental control software utilizing local transparent proxy instances to control web surfing. If the proxy is located on an internal network, LAN users may be able to fetch internal resources through the proxy depending on network/proxy ACLs. To identify if your environment is vulnerable you can perform the following manual steps. 1. Perform a DNS lookup against a test website name 2. Telnet to that website’s IP on port 80 ( $ telnet <host> 80 ) 3. Paste the following request as the payload GET / HTTP/1.0 Host: <put a different website name here> 4. Hit enter twice It is important to specify a different website name in the ‘Host’ header. The reply will look similar to the

following with HTTP headers followed by HTML. HTTP/1.1 200 OK Date: Thu, 05 Mar 2009 22:20:41 GMT Server: Apache Cache-Control: private Pragma: no-cache Content-Type: text/html; charset=UTF-8 <html> If you receive content from the host specified in the host header then you’re affected.

There is an perl script below to Detect Transparent Proxies Download the script from here: ey=CKLaz_8L This script is designed to highlight the existence of a transparent proxy, using three common methods: 1.) Check to see whether an intercepting proxy does a DNS lookup on a fake host header*; 2.) Check to see whether the HTTP (TRACE) request headers are modified between the client and server; 3.) Check to see whether a TCP traceroute on port 25 returns a different path to port 80. The first two checks can obviously be run as a limited user (on any platform), though the final check requires a TCP capable traceroute program and therefore root privileges to facilitate arbitrary TTLs. Read more here: 1. 2.

Proxies for circumvention However, an application proxy can also be helpful for circumventing restrictions. If you can communicate with a computer in an unrestricted location that is running an application proxy, you can benefit from its unrestricted connectivity. Sometimes a proxy is available for the public to use; in that case, it's called an open proxy. Many open proxies are blocked in Internetrestricting countries if the people administering the network restrictions know about them. Where to find an application proxy There are many Web sites with lists of open application proxies. An overview of such sites is available at /Hosted_Proxy_Services/Free/Proxy_Lists. Please note that many open application proxies only exist for a few hours, so it is important to get a proxy from a list which was very recently updated.

HTTP Proxy settings To use an application proxy, you must configure the proxy settings for your operating system or within individual applications. Once you have selected a proxy in an application's proxy settings, the application tries to use that proxy for all of its Internet access. Be sure you make note of the original settings so that you can restore them. If the proxy becomes unavailable or unreachable for some reason, the software that is set to use it generally stops working. In that case, you may need to reset to the original settings. On Mac OS X and some Linux systems, these settings can be configured in the operating system, and will automatically be applied to applications such as the web browser or instant messaging applications. On Windows and some Linux systems, there is no central place to configure proxy settings, and each application must be configured locally. Bear in mind that, even if the proxy settings are configured centrally, there is no guarantee that applications will support these settings, so it is always a good idea to check the settings of each individual application. Typically only Web browsers can directly use an HTTP proxy.

The steps below describe how to configure Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and the free and open source instant messaging client Pidgin to use a proxy. If you use Firefox for Web browsing, it may be simpler to use the FoxyProxy software; it is an alternative to the steps below. If you use Tor, it is safest to use the TorButton software (which is provided as part of the Tor Bundle download) to configure your browser to use Tor.

While e-mail clients such as Microsoft Outlook and Mozilla Thunderbird can also be configured to use HTTP proxies, actual e-mail traffic when sending and fetching e-mail uses other protocols such as POP3, IMAP and SMTP; this traffic will not pass through the HTTP proxy.

Mozilla Firefox To configure Firefox to use an HTTP proxy: 1. Select Tools > Options:

2. The Options window appears:

3. In the toolbar at the top of the window, click Advanced and then click the Network tab:

4. Click Settings. Firefox displays the Connection Settings window:

5. Select "Manual proxy configuration". The fields below that option become available.

6. Enter the HTTP proxy address and port number, and then click OK.

If you click "Use this proxy server for all protocols", Firefox will attempt to send HTTPS (secure HTTP) and FTP traffic through the proxy. This may not work if you are using a public application proxy, since many of these do not support HTTPS and FTP traffic. If, on the other hand your HTTPS and/or FTP traffic is being blocked, you can try to find a public application proxy with HTTPS and/or FTP support, and use the "Use this proxy server for all protocols" setting in Firefox. Now Firefox is configured to use an HTTP proxy.

Microsoft Internet Explorer To configure Internet Explorer to use an HTTP proxy: 1. Select Tools > Internet Options:

2. Internet Explorer displays the Internet Options window:

3. Click the Connections tab.

4. Click LAN Settings. The Local Area Network (LAN) Settings window appears.

5. Select "Use a proxy server for your LAN". 6. Click Advanced. The Proxy Settings window appears.

7. Enter the proxy address and port number in the first row of fields. 8. If you click "Use the same proxy server for all protocols", Internet Explorer will attempt to send HTTPS (secure HTTP) and FTP traffic through the proxy. This may not work if you are using a public application proxy, since many of these do not support HTTPS and FTP traffic. If, on the other hand your HTTPS and/or FTP traffic is being blocked, you can try to find a public application proxy with HTTPS and/or FTP support, and use the "Use this proxy server for all protocols" setting in Internet Explorer.

Now Internet Explorer is configured to use an HTTP proxy.

Google Chrome Google Chrome uses the same connection and proxy settings as the Windows operating system. Changing these settings affects Google Chrome as well as Internet Explorer and other Windows programs. If you configured your HTTP proxy through Internet Explorer then you don't need to take this steps to configure Chrome. Follow these steps to configure your HTTP proxy: 1.Click on the "Customize and control Google Chrome" menu (the little wrench next to the URL address bar) and Click on Options:

2. In the Google Chrome Options window, select the Under the Hood tab:

4. In the Network section, click the "Change proxy settings" button:

5. The Internet Options window will open. Follow steps 2-8 from "How to configure the HTTP Proxy under Internet Explorer" (above) to finish setting up your HTTP proxy. Chrome is now configured to use HTTP proxy.

Setting up Pidgin instant messaging client to use HTTP proxy Some Internet applications other than Web browsers can also use a HTTP proxy to connect to the Internet, potentially bypassing blocking. Here is an example with the instant messaging software Pidgin. 1. Select Tools > Preferences

Pidgin displays the Preferences window. 2. Click the Network tab:

3. For Proxy type, select HTTP. Additional fields appear under that option.

4. Enter the Host address and port number of your HTTP proxy 5. Click Close.Pidgin is now configured to use the HTTP proxy.

When you're done with the proxy When you are done using a proxy, particularly on a shared computer, return the settings you've changed to their previous values. Otherwise, those applications will continue to try to use the proxy. This could be a problem if you don't want people to know that you were using the proxy or if you were using a local proxy provided by a particular circumvention application that isn't running all the time.

SSH Tunnelling
SSH, the Secure Shell, is a standard protocol that encrypts communications between your computer and a server. The encryption prevents these communications from being viewed or modified by network operators. SSH can be used for a wide variety of secure communications applications, where secure log-in to a server and secure file transfers (scp or SFTP) are the most common. SSH is especially useful for censorship circumvention because it can provide encrypted tunnels and work as a generic proxy client. Censors may be reluctant to block SSH entirely because it is used for many purposes other than circumventing censorship; for example, it is used by system administrators to administer their servers over the Internet. Using SSH requires an account on a server machine, generally a Unix or Linux server. For censorship circumvention, this server needs to have unrestricted Internet access and, ideally, is operated by a trusted contact. Some companies also sell accounts on their servers, and many Web hosting plans provide SSH access. There is a list of shell account providers at: which sell accounts for about 2-10 US dollars a month. An SSH program called OpenSSH is already installed on most Unix, Linux, and Mac OS computers as a command-line program run from a terminal as "ssh". For Windows, you can also get a free SSH implementation called PuTTY. All recent versions of SSH support creating a SOCKS proxy that allows a Web browser and a wide variety of other software to use the encrypted SSH connection to communicate with the unfiltered Internet. In this example, we will describe only this use of SSH. The steps below will set up a SOCKS proxy on local port 1080 of your computer.

Linux/Unix and MacOS command line (with OpenSSH) OpenSSH is available from, but it comes pre-installed on Linux/Unix and Mac OS computers. The ssh command you'll run contains a local port number (typically 1080), a server name, and a username (account name). It looks like this: ssh -D localportnumber accountname@servername For example:

You'll be prompted for your password and then you'll be logged into the server. With the use of the -D option, a local SOCKS proxy will be created and will exist as long as you're connected to the server. Important: you should now verify the host key and configure your applications, otherwise you are not using the tunnel you have created!

Windows graphical user interface (with PuTTY) PuTTY is available from: There is also portable version of putty here: You can save the putty.exe program on your hard drive for future use, or run it directly from the Web site (often, this is possible on a shared or public-access computer, such as a computer in a library or Internet cafe). When you start PuTTY, a session configuration dialog appears. First enter the host name (address) of the SSH server you are going to connect to (here, If you only know the IP address or if DNS blocking is preventing you from using the host name, you can use the IP address instead. If you will perform these steps frequently, you can create a PuTTY profile that saves these options as well as the options described below so they will be used every time.

Next, in the Category list, select Connection > SSH > Tunnels. Enter 1080 for the Source port, and check the Dynamic and IPv4 boxes.

Now click Add, and then Open. A connection is established to the server, and a new window opens, prompting you for your username and password.

Enter this information and you will be logged into the server and receive a command line prompt from the server. The SOCKS proxy is then established. Important: you should now verify the host key and configure your applications, otherwise you are not using the tunnel you have created.

Host key verification The first time you connect to a server, you should be prompted to confirm the host key fingerprint for that server. The host key fingerprint is a long sequence of letters and numbers (hexadecimal) like 57:ff:c9:60:10:17:67:bc:5c:00:85:37:20:95:36:dd that securely identifies a particular server. Checking the host key fingerprint is a security measure to confirm that you are communicating with the server you think you are, and that the encrypted connection cannot be intercepted. SSH does not provide a means of verifying this automatically. To get the benefit of this security mechanism, you should try to check the value of the host key fingerprint with the administrator of the server you're using, or ask a trusted contact to try connecting to the same server to see if they see the same fingerprint. Verifying host key fingerprints is important for ensuring that SSH protects the privacy of your communications against eavesdropping, but it isn't necessary if you only want to circumvent censorship and don't care if network operators can see the contents of your communications.

Configuring applications to use the proxy The proxy created by the steps above should work until you close the SSH program. However, if your connection to the server is interrupted, you will need to repeat the same steps to reactivate the proxy. Once the proxy is up and running, you need to configure software applications to use it. Using the steps above, the proxy will be a SOCKS proxy located on localhost, port 1080 (also known as, port 1080). You should try to ensure that your applications are configured in a way that prevents DNS leaks, which could make SSH less effective both for privacy protection and censorship circumvention.

More options So far, all these commands display a command line on the remote machine from which you can then execute whatever commands that machine provides to you. Sometimes you may want to execute a single command on a remote machine, returning afterward to the command line on your local machine. This can be achieved by placing the command to be executed by the remote machine in single quotes. $ ssh 'mkdir /home/myname/newdir' Sometimes what you need is to execute time consuming commands on a remote machine, but you aren't sure to have sufficient time during your current ssh session. If you close the remote connection before a command execution has been completed, that command will be aborted. To avoid losing your work, you may start via ssh a remote screen session and then detach it and reconnect to it whenever you want. To detach a remote screen session, simply close the ssh connection: a detached screen session will remain running on the remote machine. Ssh offers many other options. You can also set up your favorite systems to allow you to log in or run commands without specifying your password each time. The setup is complicated but can save you a lot of typing; try doing some Web searches for "ssh-keygen", "ssh-add", and "authorized_keys".

scp: file copying The SSH protocol extends beyond the basic ssh command. A particularly useful command based on the SSH protocol is scp, the secure copy command. The following example copies a file from the current directory on your local machine to the directory /home/me/stuff on a remote machine. $ scp Be warned that the command will overwrite any file that's already present with the name /home/me/stuff/ (Or you'll get an error message if there's a file of that name and you don't have the privilege to overwrite it.) If /home/me is your home directory, the target directory can be abbreviated. $ scp You can just as easily copy in the other direction: from the remote machine to your local one. $ scp yesterday-interview.txt The file on the remote machine is interview.txt in the docs subdirectory of your home directory. The file will be copied to yesterday-interview.txt in the home directory of your local system scp can be used to copy a file from one remote machine to another. $ scp user1@host1:file1 user2@host2:otherdir To recursively copy all of the files and subdirectories in a directory, use the -r option. $ scp -r user1@host1:dir1 user2@host2:dir2 See the scp man page for more options.,

rsync: automated bulk transfers and backups rsync is a very useful command that keeps a remote directory in sync with a local directory. We mention it here because it's a useful command-line way to do networking, like ssh, and because the SSH protocol is recommended as the underlying transmission for rsync.

The following is a simple and useful example. It copies files from your local /home/myname/docs directory to a directory named backup/ in your home directory on the system rsync actually minimizes the amount of copying necessary through various sophisticated checks. $ rsync -e ssh -a /home/myname/docs The -e option to ssh uses the SSH protocol underneath for transmission, as recommended. The -a option (which stands for "archive") copies everything within the specified directory. If you want to delete the files on the local system as they're copied, include a --delete option.

Making it easier when you often use SSH If you use SSH to connect to a lot of different servers, you will often make mistakes by mistyping usernames or even host names (imagine trying to remember 20 different username/host combinations). Thankfully, SSH offers a simple method to manage session information through a configuration file. The configuration file is hidden in your home directory under the directory .ssh (the full path would be something like /home/jsmith/.ssh/config “ if this file does not exist you can create it). Use your favorite editor to open this file and specify hosts like this: Host dev HostName User fc You can set up multiple hosts like this in your configuration file, and after you have saved it, connect to the host you called "dev" by running the following command: $ ssh dev Remember, the more often you use these commands the more time you save.

KiTTY – Portable SSH Client for Windows KiTTY is a free and Open Source SSH, Telnet and Rlogin client for Windows 32 bit operating systems. KiTTY is basically a fork of the popular PuTTy client. KiTTY supports many features including portability, sessions filter, session launcher, shortcuts for predefined command, automatic login, automatic saving, session icon, separate icons for each session, quick start of duplicate sessions, transparency, rollup and more. Kitty is available from here: Precompiled portable version of KiTTY is available in above link and works well. If you’re using this version following instruction is not for you. To run KiTTY Portable 1. Create a folder named KiTTY on your USB device 2. Download kitty_portable.exe and move it to the KiTTY folder 3. make the custom kitty.ini file by copy and paste following into a notepad file and save it as kitty.ini and move it to the KiTTY folder [KiTTY] savemode=file sav=kitty.sav 4. Click kitty_portable.exe from the KiTTY folder to launch the program

SOCKS Proxies
SOCKS is an Internet protocol which presents a special kind of proxy server. The default port for SOCKS proxies is 1080, but they may also be available on other ports. The practical difference to normal HTTP proxies is that SOCKS proxies work not only for Web browsing, but also for other applications like video games, file transfer or instant messenger clients. Similar to a VPN, they work as a secure tunnel. Common SOCKS versions include 4, 4a and 5. The version 4 always needs the IP address to create a connection, so the DNS resolution still has to take place on the client. This make it useless for many circumvention needs. Version 4a usually uses hostnames. Version 5 includes newer techniques such as authentication, UDP and IPv6, but it often uses IP addresses, so it might also not be the perfect solution. A variety of software can take advantage of a SOCKS proxy to bypass filters or other restrictions not only Web browsers, but also other Internet software like instant messaging and e-mail applications. In order to use an application proxy for circumventing censorship, you must tell software on your computer that you want to use that proxy when communicating with other systems on the Internet. Some Internet applications don't ordinarily work with a proxy because their developers didn't create them with proxy support. However, many of these applications can be made to work with a SOCKS proxy using socksifier software. Some examples of such software include:
  

tsocks ( on Unix/Linux WideCap ( on Windows ProxyCap ( on Windows

Configuring your applications In most cases configuring applications to use a SOCKS proxy is done in much the same way as configuring them to use HTTP proxies. Applications that support SOCKS proxies will have a separate entry in the menu or configuration dialog where HTTP proxies are configured which let you configure a SOCKS proxy. Some applications will ask you to choose between SOCKS 4 and SOCKS 5 proxy settings; in most cases SOCKS 5 is the better option, although some SOCKS proxies may only work with SOCKS 4. Some applications, such as Mozilla Firefox, will allow you to configure both an HTTP proxy and a SOCKS proxy at the same time. In this case, normal web-browsing will happen through the HTTP proxy, and Firefox may use the SOCKS proxy for other traffic such as streaming video.

Mozilla Firefox To configure Mozilla Firefox to use a SOCKS proxy: 1. Select Tools > Options:

2. The Options window appears:

3. In the toolbar at the top of the window, click Advanced:

4. Click the Network tab:

5. Click Settings. The Connection Settings window opens:

6. Select "Manual proxy configuration". The fields below that option become available.

7. Enter the SOCKS proxy address and port number, choose SOCKS v5, then click OK.

Now Firefox is configured to use a SOCKS proxy.

Microsoft Internet Explorer To configure Internet Explorer to use a SOCKS proxy: 1. Select Tools > Internet Options:

2. Internet Explorer displays the Internet Options window:

3. Click the Connections tab:

4. Click LAN Settings. Internet Explorer displays the Local Area Network (LAN) Settings window:

5. Select "Use a proxy server for your LAN" and click Advanced.Internet Explorer displays the Proxy Settings window:

6. Clear "Use the same proxy server for all protocols" if it is selected:

7. Enter the proxy address to use and port number in the Socks row and click OK:

Now Internet Explorer is configured to use a SOCKS proxy. Configuring a SOCKS proxy for other applications Many Internet applications other than Web browsers can use a SOCKS proxy to connect to the Internet, potentially bypassing blocking. Here is an example with the instant messaging software Pidgin. This is a typical example, but the exact sequence of steps to configure some other application to use a SOCKS proxy would be slightly different. 1. Select Tools > Preferences:

2. Pidgin displays the Preferences window:

3. Click the Network tab:

4. For Proxy type, select SOCKS 5. Additional fields appear under that option.

5. Enter the host address and port number of your SOCKS proxy:

6. Click Close. Pidgin is now configured to use a SOCKS proxy.

When you're done with the proxy When you are done using a proxy, particularly on a shared computer, return the settings you've changed to their previous values. Otherwise, those applications will continue to try to use the proxy. This could be a problem if you don't want people to know that you were using the proxy or if you were using a local proxy provided by a particular circumvention application that isn't running all the time.

DNS leaks One important problem with SOCKS proxies is that some applications that support the use of SOCKS proxies may not use the proxy for all their network communications. The most common problem is that Domain Name System (DNS) requests may be made without going through the proxy. This DNS leak can be a privacy problem and can also leave you vulnerable to DNS blocking, which a proxy could otherwise have circumvented. Whether an application is vulnerable to DNS leaks may vary from version to version. Mozilla Firefox is currently vulnerable to DNS leaks in its default configuration, but you can avoid these by making a permanent configuration change to prevent DNS leaks: 1. In the Firefox address bar, enter about:config as if it were a URL (you may see a warning about changing advanced settings):

2. If necessary, click "I'll be careful, I promise!" to confirm that you want to modify your browser settings. The browser displays a list of configuration settings information. 3. In the Filter field, enter network.proxy.socks_remote_dns. Only that setting is displayed:

4. If this setting has the value false, double-click it to change its value to true. Firefox is now configured to avoid DNS leaks. Once the value is displayed as true, this setting is automatically saved permanently. There is no documented way to prevent DNS leaks within Microsoft Internet Explorer, without using an external program. At the time of this writing there are no known DNS leaks in Pidgin when configured to use a SOCKS 5 proxy.

Risks of Operating a Proxy
When you run a Web proxy or application proxy on your computer to help others, requests and connections forwarded through that proxy will appear to originate from your computer. Your computer is acting on behalf of other Internet users, so their activity could be attributed to you, as if you had done it yourself. So if someone uses the proxy to send or receive material that a third party objects to, you could receive complaints that assume that you are responsible and may ask you to stop that activity. In some cases, activities using your proxy could attract legal action or the attention of law enforcement agencies in your own or another country. In some countries, proxy operators have received legal complaints, and, in some cases, law enforcement agents have even seized computers that were functioning as proxies. This could happen for several reasons:
  

Someone may (incorrectly) assume that the operator of the proxy computer was personally involved in activity passing through the proxy. Someone may assert that the operator of the proxy has a legal duty to stop certain uses, even if the uses are being made by third parties. Someone may hope to examine the proxy to find evidence (e.g. logfiles) of who was responsible for some activity.

If you think this could be a risk for your proxy in your area, it may be safer to operate the proxy on a dedicated computer in a data center. That way it won't attract attention to your home Internet connection. National laws may vary in the way and extent they protect proxy operators from liability. For details about your situation, you should consult a lawyer or qualified legal expert in your jurisdiction.

Risks of operating a public proxy Internet service providers may complain about your operation of a proxy, especially if they receive complaints about abuse of the proxy. Some ISPs may assert that running a public proxy violates their terms of service, or that they simply do not wish to permit users to run public proxies. These ISPs may disconnect you or threaten to disconnect you in the future. A public proxy may be used by many people all over the world and may use huge amounts of bandwidth and traffic, so when using ISPs that charge on a non-flat-rate tariff, one should take precautions to avoid a large traffic bill at the end of the month.

Risks of operating a private proxy These risks still exist if you operate a proxy for your own benefit or for the use of a small number of individuals, but operating a non-public proxy is much less risky than operating a public proxy. If the user of your non-public proxy is detected and monitored, whoever is doing the monitoring may realize or speculate that there is a connection between you and the user and that you are trying to help that person circumvent filtering. Although your own ISP is much more likely to object to your running a public proxy than a private proxy, some ISPs may have such comprehensive anti-proxy policies that they object even to the operation of a private proxy on their networks. Data retention laws might regulate proxy operation In some countries, data retention laws or similar laws meant to restrict anonymity might be interpreted to regulate the operation of proxy services. For more information about data retention, See

Interesting Experiment...? What if we initially connect to one of the aforementioned services, and then connect to another service through our initial connection. Effectively, we would be anonymising our anonymous surfing session! This sounds like a very good idea if we want to double our level of anonymity. Unfortunately, this may come at a price, that price is speed. So far, it is tested with proXPN (proxy #1) and Ultrasurf (proxy #2) and (Hotspotshield+Tor) and observed only minimal speed degradation. To make this work, follow these steps: Connect to proxy #1  Check your IP  Connect to proxy #2  Check your IP Both IPs should have different values and not your actual IP. What is actually happening here is that your web browsing session is being processed through proxy #2 which in turn is being processed through proxy #1. Try it for yourself and see which mixes you like best.

Domains and DNS
If you have identified, suspect or were told that the main censorship technique on your network is based on DNS filtering and spoofing, you should consider these techniques. There are some countries around the world that blocked the piracy related websites and a lot of file sharing website such as Pirate bay, Megaupload and many more .When we connect to the internet from our computer, we will basically look for a DNS (Domain Name System). When those ISP technicians come to your house and setup your computer, they will usually point your DNS to their own DNS. Basically, how the ISP block your connection to those file sharing website is that they will block all the connections from the DNS to those websites. Hence, when you are in their DNS, they have the total control of where you can go, and where you can’t. If you know where to configure your IP address, the option below your ‘default gateway’ is the DNS address. In common, people will just point to the Google DNS instead of your ISP DNS. The DNS for google are or the Comodo SecureDNS where you can activate it from the Comodo Firewall: . You don’t have to put both, but just fill up one of your DNS with any of the two Google DNS will do.

Using alternative Domain Servers or Names Simply speaking, a DNS server translates a human-friendly Internet address such as into the IP address, such as, that identifies the specific server or servers on the Internet associated with that name. This service is most often accessed through DNS servers maintained by your Internet Service Provider (ISP). Simple DNS blocking is implemented by giving an incorrect or invalid response to a DNS request, in order to prevent users from locating the servers they're looking for. This method is very easy to implement on the censor side, so it is widely used. Keep in mind that often there are several censorship methods are combined, so DNS blocking may not be the only problem. You can potentially bypass this type of blocking in two ways: by changing your computer's DNS settings to use alternative DNS servers or by editing your hosts file.

Alternative DNS Servers You can bypass the DNS servers of your local ISP, using third-party servers to let your computer find the addresses of domains that may be blocked by the ISP's DNS servers. There are a number of free, internationally available DNS services that you can try. OpenDNS ( provides one such service and also maintains guides on how to

change the DNS server that your computer uses ( There is also an updated list of available DNS servers from around the world at is a list of publicly-available DNS services, via the Internet Censorship Wiki at (Some of these services may themselves block a limited number of sites; consult the providers' sites to learn more about their policies.)

Publicly-available DNS servers Address Provider Google Google OpenDNS OpenDNS DynDNS DynDNS Visizone Visizone NortonDNS NortonDNS DNS Advantage DNS Advantage DNSResolvers DNSResolvers Level 3 Cable & Wireless

Once you've chosen a DNS server to use, you need to enter your selection into your operating system's DNS settings.

Change your DNS settings in Ubuntu
1. In the System menu go to Preferences > Network Connections.

2. Select the connection for which you want to configure Google Public DNS. If you want to change the settings for an Ethernet connection (cable), select the Wired tab, then select your network interface in the list. If you want to change the settings for a wireless connection instead, select the Wireless tab, then select the appropriate wireless network.

3. Click Edit, and in the window that appears, select the IPv4 Settings tab

4. If the selected method is Automatic (DHCP), open the dropdown menu and select "Automatic (DHCP) addresses only" instead. If the method is set to something else, do not change it.

5. In the DNS servers field, enter your alternate DNS IP information, separated by a space. For example, if you want to add Google DNS write:

6. Click Apply to save the changes. If you are prompted for a password or confirmation, type the password or confirm that you want to make the changes.

7. Repeat steps 1-6 for every network connection you want to modify.

Change your DNS settings in Windows
1. Open your control panel under the Start menu.

2. Under Network and Internet, click on "View network status and stats".

3. Click on your wireless connection at the right side of the window.

4. The Wireless Network Connection Status window will open. Click on Properties.

5. In the Wireless Network Connection Properties window select Internet Protocol Version 4 (TCP/IPv4), and click on Properties.

6. You should now be in the Internet Protocol Version 4 (TCP/IPv4) Properties window, where you are going to specify your alternate DNS address (for example: Google Public DNS)

7. At the bottom of the window, click on "Use the following DNS server addresses" and complete the fields with your preferred and alternate DNS server IP information. When you are done, click OK. By default the first DNS server will be used. The alternate DNS server can be from another company.

Edit your hosts file
If you know the IP address of one particular web site or other Internet service that is blocked by your ISP's DNS servers, you can list this site in your own computer's hosts file, which is a local list of name-to-IP address equivalents that your computer will use before checking external DNS servers. The hosts file is a text file with an extremely simple format; its contents look like: where each line contains an IP address, then a space, and then a name. You can add any number of sites to your hosts file (but note that if you use the wrong address for a site, it could prevent you from accessing that site by name until you fix it or remove it from the list). If you can't find a site's IP address because of your ISP's DNS blocking, there are hundreds of services that will help you do an uncensored DNS lookup. For example, you could use any of the tools at You could also consider using the tools at, which are sophisticated network diagnostic tools provided by various ISPs. They were originally intended for diagnosing accidental network outages rather than intentional censorship, but they can be useful for diagnosing censorship too. These tools also include the ability to look up the IP address of a particular server.

Edit your hosts file in Windows Vista / 7 You will need to use a simple text editor, such as Notepad, to edit your hosts file. In Windows Vista and 7, your hosts file is usually located at C:\Windows\system32\drivers\etc\hosts. 1. Click on the Start button.

2. Type "notepad" at the search box.

3. Once you found the program, right-click on it and select "Run as administrator"

4. Windows will ask for your permission to make changes to files. Click Yes.

5. Under the File menu, select Open.

6. Browse to C:\Windows\System32\Drivers\etc\. You may notice that the folder seems initially empty.

7. At the bottom right of the open dialog, select All Files.

8. Select the file "hosts" and click Open.

9. Add for example the line "" at the end of the file and save it by pressing Ctrl+S or by selecting File > Save from the menu.

Edit your hosts file in Ubuntu In Ubuntu, your hosts file is located in /etc/hosts. To edit it, you will need to have some knowledge of the command line. Please refer to the chapter "The Command Line" in this book for a brief tutorial on this feature. 1. Open the terminal by going to Accessories > Terminal under your Applications menu.

2. Use the following command line to automatically add a line to your hosts file: echo | sudo tee -a /etc/hosts

3. You may be prompted for your password in order to modify the file. Once authorized, the command will append "" to the the last line of the hosts file.

4.Optional: if you feel more comfortable working in a graphical interface, open the terminal and use the following command line to launch a text editor: sudo gedit /etc/hosts 5. You may be prompted for your password in order to modify the file. Once the window has opened, simply add the line "" at the end of the file, and save it by pressing Ctrl+S or selecting File > Save from the menu.

Stop DNS leakage while using a VPN
Most Virtual Private Network providers fail to mention that while your connexion is encrypted using a VPN there is a high chance that a DNS leak will occur and your ISP will still be able to see what you are doing over the internet. The problem occurs primarily when routers and computers are set to use automatic DHCP, this can force name lookups to bypass the name server supplied by the active VPN connection and instead use the one supplied by your ISP which allows them to see the websites you visit.

DNS leak test If you want to check if you suffer from DNS leakage, connect to your usual VPN/proxy and visit After you click on Test my DNS you should ignore everything and look only on top of the page where it says DNS Resolver(s) tested . Use a whois tool: to resolve the IPs listed there and if your ISP name comes up, then you have a DNS leak. Solving DNS leakage The easiest way I have found to stop DNS leakage is by not using the ISP name servers and choose a free public DNS provider instead.

List of free public DNS providers: Comodo public DNS: NS1: NS2: Google public DNS: NS1: NS2: OpenDNS public DNS:

NS1: NS2: DNSAdvantadge public DNS: NS1: NS2: Instructions to change your computer DNS settings Instructions to use Comodo public DNS: Instructions to use Google public DNS: Instructions to use OpenDNS public DNS: Instructions to use DNSAdvantadge public DNS: After you have done the change, carry out again the DNS leak test mentioned above. You should now see the DNS belonging to your new choosen provider. Note: It looks as if Comodo Secure DNS and DNSAdvantadge are using the same network (UltraDNS).

DNS Nameserver speed test Changing your DNS server can also increase or decrease the speed at which the websites are resolved, you can test your nameservers speed with the free utilities below: NameBench (DNS benchmark utility): GRC DNS Benchmark (No installation needed):

Random MAC addresses
Generate random MAC addresses automatically to protect privacy when connecting to insecure networks.
   

What is a MAC address? Why randomize your MAC address? What limitations will this impose? Setup automatic random MAC address creation in Ubuntu 10.04 using Network Manager

Here you learn how to generate a new MAC address every time you connect to a computer network. What is a MAC address? A MAC (Media Access Control) address: is a unique address present in all networking hardware. It identifies the specific network card (and thus, if you don’t change network cards very often) you use to connect to a computer network. It’s similar to an IP address in its ability to uniquely identify you, but more directly tied to the hardware you’re using. Why randomize your MAC address? Since it is a unique identifier, it can be used to track you while on the internet. This is especially relevant at open access points, such as when using free networks offered by major coffee chains or fast food dispensaries. If you connect to free public networks, it’s strongly recommended to use generated MAC address as described below because it’s trivial and likely being done to build entire profiles on you based around your MAC address. What limitations will this impose? Some routers identify you by your MAC address, giving you a specific IP as a result or allowing you to use their services. Any service that is linked to a specific network adapter may stop functioning if you use this method. If you don’t know what that means, however, it’s very likely that it’s not a problem. More likely is the necessity to click through any portals that come up automatically when first signing onto a public network which prompts the user with something before providing internet service. Examples of this typically come in the form of free wireless access points provided by corporate entities—you’ll probably have to ‘agree’ to ‘terms of service’ again every time you connect to free corporate wireless access points.

Setup automatic random MAC address creation in Ubuntu 10.04 using Network Manager Ubuntu 10.04 (and as of September 1, 2010 and all distributions after it using Network Manager) ships with a version of Network Manager that does not support “pre-up” scripts for network connections—this means that it is unable to run scripts before connecting to a network. This feature would easily enable one to use a script that changes the MAC address on every connection. Due to this limitation, it specifically generates a random MAC address every time the Network Manager Service starts, and then generates a new one every time you disconnect from the network. 1. Open a terminal and run: sudo apt-get install macchanger 2. It’s suggested to take note of your current MAC address at this point, to verify that it is being changed by your scripts later on. To do this for a wired (ethernet) connection, type: macchanger eth0 To do the same for a wireless adapter, type: macchanger wlan0 The output will look something like this: Current MAC: 00:0c:1d:47:a4:0c (Mettler & Fuchs Ag) 00:0c:1d:47:a4:0c is the MAC address in this example, always in the form of XX:XX:XX:XX:XX:XX. The text in the parentheses will vary. 3. Create the file /etc/init/macchanger.conf. This can be done by typing: sudo nano /etc/init/macchanger.conf 4. Paste the following lines into it and save the file (Ctrl+X will save and close in nano): # macchanger - set MAC addresses # # Set the MAC addresses for the network interfaces. description "change mac addresses"

start on starting network-manager pre-start script /usr/bin/macchanger -A wlan0

/usr/bin/macchanger -A eth0 /usr/bin/macchanger -A wmaster0 /usr/bin/macchanger -A pan0 #/usr/bin/logger wlan0 `/usr/bin/macchanger -s wlan0` #/usr/bin/logger eth0 `/usr/bin/macchanger -s eth0` end script This script runs after the network manager service starts through the Ubuntu Upstart daemon system then, using the -A switch, creates a random vendor-identified MAC address. The program macchanger can generate various kinds of addresses—this method may look strange to active network monitoring, but passive network monitoring and background tracking will likely not notice. This method should work best for most people. 5. Create the file /etc/network/if-down.d/random-mac and paste the following lines into it: #!/bin/sh MACCHANGER=/usr/bin/macchanger test -x $ETHTOOL || exit 0 [ "$IFACE" != "lo" ] || exit 0 # Bring down interface (for wireless cards that are up to scan for networks), change MAC address to a random vendor address, bring up the interface ifconfig "$IFACE" down macchanger -A "$IFACE" ifconfig "$IFACE" up This script changes the MAC address again when the network is disconnected. It’s possible if the network is never properly brought down and one never reboots that one can use the same address more than once.

6. Make the random-mac script executable by typing: sudo chmod +x /etc/network/if-down.d/random-mac 7. Restart Network Manager to take effect: sudo service network-manager restart

Your computer will now automatically create (without your intervention or notification) a new random MAC address for every physical network adapter you have (wired and WIFI) and reduce your tractability on public networks! This tactic can easily be adapted to different Linux/BSD setups and possibly OS X and Windows.

For windows there is a small pretty program called MAD MAC that randomizes your Mac addresses on each restart of your computer. You can find more info and a download link here:

You can change Macs manually in Linux: sudo ifconfig eth0 hw ether ne:wm:ac:ad:dr:es

Researching and Documenting Censorship
In many countries, it is no secret that government censorship of the Internet exists. The scope and methods of censorship have been documented for example in the books Access Denied: The Practice and Policy of Global Internet Filtering and Access Controlled: The Shaping of Power, Rights, and Rule in Cyberspace, both edited by Ronald Delbert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain ( and When a popular site is widely blocked, that fact tends to become widely known within the country. However, some governments (including some rather active censors) officially deny the existence of censorship or try to disguise it as random technical errors. If you're subject to censorship, you can use your situation to help others (including the international academic and activist community that studies censorship) understand it and potentially publicize it. Of course, you need to be cautious about this; governments that deny their network censorship practice may not appreciate your participation in efforts to expose them. Research censorship knowledge databases Some censorship knowledge databases have been made public in the last couple of years. Some of them are crowd-sourced but they are all validated by field experts. They are being constantly updated to keep information and blocked sites lists as accurate as possible. Some databases are available at the following URLs:
 

Herdict Web: Alkasir Map:

On a more macro-geographic level, OpenNet Initiative and Reporters without Borders release a "State of Internet" for every country on a regular basis. You can access them online:
 

OpenNet Initiative research report: Reporters Without Borders Internet Enemies:

Reporting blocked sites using Herdict Herdict ( is a Web site which aggregates reports of inaccessible sites. It's run by researchers at the Berkman Center for Internet and Society at Harvard University in the United States who study how the Internet is being censored. The data in Herdict isn't perfect “for example, many users can't distinguish a site that is not available because of a technical glitch or because they mistyped the address from actual censorship “but the data is collected from all over the world and is constantly updated.

Above is an overview of the Facebook report. You can help these researchers by submitting your own reports to Herdict through their web site. It is free, easy to use and you don't even have to register. You can also register to get updates on future block notifications about a website.

Herdict also offers add-ons for the Firefox and Internet Explorer Web browsers to make it easier to report whether particular Web sites are blocked or not as you browse the web.

Alkasir is an innovative server/client tool facilitating the tracking, analysis, and circumvention of Web site censorship (filtering). Alkasir is mainly used in the Middle East region but can be used globally. It utilizes dedicated client software and is powered by proxy servers. Its innovative feature is to keep the list of blocked sites up-to-date by getting semi-automatic updates, and allows reporting of newly blocked sites through its globally-distributed user community. General information Supported operating system

Localization Web site Help FAQ Contact

English and Arabic

How does Alkasir work? Alkasir has implemented two innovative and complementary new features. It is designed as a Web browser (based on Mozilla Firefox) with an embedded pre-configured HTTP proxy, and a self-learning blocked URLs database. Bypassing Internet censorship The innovation is that Alkasir only relies on its blocked URLs database and built-in proxy to reach blocked URLs. Non-blocked URLs are accessed directly, without proxy requests. Using HTTP proxy only when it is really needed optimizes bandwidth usage and allows non-blocked Web pages to be accessed more quickly (since directly-accessed Web pages load quicker).

Keeping the blocked URLs database up-to-date Any time a user suspects that a URL is blocked, he can report it via the software interface. Alkasir checks the report thoroughly, and then asks that country's moderator (a human person) to approve that addition to the database (to keep the database relevant and to prevent undesirable content, such as porn, from entering it). A single "blocked content unit" (a Web site that is blocked in a certain country) is often dependent on more than one URL. When Alkasir detects a blocked URL in a certain country, it checks all the URLs referenced on that page to determine whether any of them are also blocked. Thus, Alkasir builds its blocked content database through a simple, primitive, one-level spidering methodology. Finally, if an Alkasir user fails to load an URL with a direct request (i.e. not through the proxy), the client notes this and automatically checks to see whether it is a new (not yet in the database) blocked URL or not, and if it is, adds it automatically. The database is available at the following address: To summarize, Alkasir's blocked URLs database is continuously fed by all Alkasir users (using human submissions or automatic reports) and the Alkasir browser relies on this database to optimize the global tool's reactivity by redirecting only blocked URLs requests through the proxy.

How do I get Alkasir? You can download Alkasir directly from the website or receive it by e-mail.

Download Alkasir via the website You can download Alkasir from the official website, Depending on the operating system and programs you have, you will choose one of the following versions:
 

If you have Windows Vista or Windows 7 and have Mozilla Firefox installed, you only need the "Alkasir Installation package" (which requires installation, size: 3 MB). If this is not the case, you need to download the "Alkasir Complete Installation package" (which also requires installation, size: 41.04 MB)

If you are not able or do not want to install Alkasir permanently on the computer you are using (e.g. a shared computer in an Internet cafe or library), you can download any of the two USB versions of Alkasir:
  

Alkasir USB package without Mozilla Alkasir USB package with Mozilla browser Please note that both versions require the .Net Framework to be installed, which is preinstalled on all Windows Vista and Windows 7 operating systems.

Optionally, you can register an account to receive regular updates and news from Alkasir by email. Updates are released on a regular basis, so you should be sure to get the latest version from the official website.

Receive Alkasir by e-mail If the Alkasir website blocked in your country, you can get the installation file from an e-mail autoresponder. Simply send a blank email to the address to request the installation file as an attachment.

You will receive an e-mail with the software attached and instructions on how to install Alkasir on your computer. If you don't receive the software after a few minutes, you may need to add to your contacts whitelist so the e-mail is not considered as spam.

Installation Once you have downloaded the installation file, double-click on the software icon.

You may get a security warning. Click Run or Accept.

Follow the Alkasir installation wizard by clicking the Next button.

You can change the installation folder (but this is not recommended).

When ready, click Next.

Validate the security warning shown above by clicking Yes.

When the installation is finished, click Close.

How do I use Alkasir? Alkasir should start by default whenever Windows is started. Ensure that the software is running by checking that the Alkasir icon is displayed in your system task bar, near the clock.

Right clicking the icon reveals the configuration menu.

  

Launch Browser Open Alkasir interface Report blocked URLs

The main Alkasir interface gathers all the features from the software. You can do the following:
   

start, shut down and restart the software launch the Alkasir browser register or login on Get updates for your installed version of Alkasir.

First, let's launch the Alkasir browser.

The browser's graphical user interface is very similar to Mozilla Firefox as it is based on the same technical framework. Note some specific features:
  

a button for complete Arabic localization The "Report Blocked URLs" button, to use when you are trying to reach a website that appears to be blocked. This button is displayed near the address bar and the status bar. An Alkasir icon to go to the main interface.

You can also find other menus to integrate your Alkasir browser with your Alkasir account. It is possible to enable or disable the automatic updates for the software, the proxy list and blocked sites database. If you are arrive at an error page that could indicate a blocked website (such as an Access Denied or Connection Timeout error), you can submit this URL to the Alkasir database by clicking the Report Blocked URL button. You can choose to be notified of the moderator's decision about whether to enter this URL into the database or not (this decision is based on the tool's policy).

Further information Visit for:
 

a comprehensive documentation for the software: a list of Frequently Asked Questions:

Best Practices for Webmasters
Running a Web site exposed to a wide audience or not, is not always easy. It is important to think about your personal safety as well as the safety of the visitors. Often, Webmasters are surprised when their Web sites are unexpectedly blocked in a certain country. If a large number of visitors are unable to access the site, the site operator may also face economic problems. Losing your Web site content or server, or having to set up a new server can also be disturbing and frustrating. Here we gather a checklist of good practices and advice to have in mind when running your Web site.

Protect your website
 

  

 

Always schedule automated backups (files and database) on at least one another physical machine. Be sure to know how to restore it. Monitor your traffic to learn something about the countries your visitors come from. You can use geo location databases to make a guess about which country an IP address is located in. If you notice a major drop in traffic from a specific country, your Web site may have been blocked. You can share this with geographical blocked Web sites databases, like Herdict ( Secure your Web site, especially if you use a CMS (Content Management System). Always install the latest stable updates to fix security flaws. Secure your Web server software with high level security settings (you can find plenty of online resources about how to secure Linux Web servers). Register (or transfer) your domain name to another DNS provider which is not your hosting provider. In case of attack on your current provider, you will be able to easily point your domain name to a new hosting provider. You may also want to create a mirror server running as a standby to which you can switch easily. Learn how to switch your DNS entries to the mirror server. Consider hosting your website in a foreign country, where the content is less controversial and clearly legally protected. This may imply only a small additional delay in page load time (usually a few milliseconds) for your visitors and may save you a lot of trouble if you are located in a country where you web site's content is considered very controversial. Test and optimize your website with the main circumvention tools your visitors are likely to use. Check and fix any broken pages or features. Ideally, make your website usable to visitors without JavaScript or plugins, since these may be unavailable or broken when people are using proxies. Avoid using FTP to upload your files. FTP sends your password over the Internet unencrypted, making it easy for eavesdroppers to steal your login credentials. Consider using SFTP (File Transfer Protocol over SSH), SCP, or secure WebDAV (over HTTPS) instead.

Use alternative ports to access your back-end. Hackers usually run automatic scans on standard ports to detect vulnerabilities. Consider changing your ports to non-standard values (such as SSH) to minimize the risks of these attacks. Protect your server against brute-force attacks by installing a tool such as DenyHosts on your server ( to protect your server by blacklisting IPs that attempt unsuccessful logins more than a certain amount of times.

Protect yourself Here are some tips to prevent potential personal harm, if staying anonymous as a webmaster is important for you.
 

Use an anonymous e-mail address and name which is never associated with your real identity. If you own a dedicated domain name, you can record dummy entries in the WHOIS public database by using a service often called "WHOIS proxy", "WHOIS protect" or "domain privacy". Use a service like Tor to stay anonymous when updating your Web site.

Protect your visitors Apart from protecting your Web site and yourself, it is also important to protect the visitors from potential third party monitoring, especially if they submit content to your website.

Deploy HTTPS so your users can access your site over an encrypted connection, to make it more difficult to look automatically at the content which is being transferred and to assure your identity. Ensure that your HTTPS configuration covers your entire site and that you use other best practices for HTTPS configuration. You can find information on how to deploy it correctly on and also try the automated tests at for many technical parameters. Minimize retained data in your logs. Avoid saving IP addresses or any personal data related to your visitors longer than necessary. Encrypt critical user data such as passwords, for example using salted hashes. External services like Google Analytics or other third-party content like ad networks are difficult to control. Avoid them. Create a light and secure version of your Web site, without any Flash or Javascript embedded code, compliant with Tor and low-bandwidth connections.

  

Educate your visitors
 

Teach your users how to use circumvention tools, and be able to improve their online security. Make a digital safety checklist available so your visitors can be sure they are not being monitored or attacked.

Share circumvention tools with your visitors
   

Host Web proxy instances (such as SabzProxy or Glype Proxy). Share them with your visitors, by email, through your social networks. Send out psiphon invitations if you have an account on a private node Install other kinds of Web and application proxies if you own a dedicated server and share it. Link to this manual or relevant circumvention tools from your website.

Multiply channels of distribution Webmasters can and should take different actions in order to spread their content as much as possible, to prevent being shut down or blocked.
 

 

   

Set up a newsletter, and send regular updates of new content by e-mail. You will still be able to reach users when they are not able to visit your Web site anymore. Set up a RSS feed and make sure it contains full articles and not only excerpts (snippets). This way your content can be parsed very easily by third party websites and applications such as Google Reader, which can be used to read your content where direct access is blocked. Share your content on popular social networking platforms, such as Facebook or Twitter, which may be hard to block. Spread the content as much as possible. Make your content available for download. Wikipedia, for example distributes its entire content freely as a database dump which can used to easily create new mirror Web sites with the same content elsewhere. Consider publishing your articles under an open license (like GPL or Creative Commons) which allows everyone to reuse your content and create mirrors. Mirror your files on free sharehosting services like or and peer-to-peer filesharing software like Bittorrent. Configure your Web server to also serve content on different ports than the standard ports 80 (http) and 443 (https). Offer an API (application programming interface) which allows others to access your content automatically via third-party software such as Twitter or Wikipedia does.

Reduce your page load time Reducing your page load time not only will save you some bandwidth and money, but will also help your visitors coming from developing countries to access your information better. A good list of best practices for speeding up your website can be found at and

 

Adopt a minimalist style. Consider keeping images to a minimum, and use CSS to style your layout. A good introduction to CSS can be found at Optimize your images. Use programs like OptiPNG ( to make your pictures load faster by optimizing them for the Web. Also, never scale images with HTML if you don't need to (i.e. if you need a 60x60 image then resize it directly, rather than using HTML). Reduce Java, JavaScript, Flash and other content that runs in the client's computer to a minimum. Remember that some Internet cafe disable this kind of content for security reasons. Make sure that the information you want to convey is displayed in pure HTML. Use external files for your CSS and JavaScript. If you have a certain CSS style or JavaScript that is recurrent in your Web site, consider saving it in a separate file and calling it in the header of your Web page. This will allow your client's browser to cache the files, and they will not have to download all this content each time they visit a Web page on your site. Minify your code. Remove any unnecessary break lines and spaces. Some tools that do this automatically can be found at Reduce the number of server requests to a minimum. If you have a dynamic Web site but the content doesn't change really frequently, you may want to install some cache extensions that will provide your users with a static version of your content, thus significantly reducing the number of requests to your database.

Enabling remote access for others
You can also help censorship research by giving researchers remote access to your computer so that they can use it to carry out their own tests. You should only do this if you trust the researchers in question with the kind of access you're offering them, since they may get full control over your computer and everything they do on your machine will look like your own actions to your ISP or government. Remote desktop applications typically use either the Remote Desktop Protocol (RDP) or Virtual Network Computing (VNC) protocol. In order to establish a remote connection, both the host/server and client have to support the same protocol. All windows version support RDP and linuc distributions support VNC VNC remote desktop connections are typically slower than RDP connections, however VNC is usually easier to implement across a variety of platforms. For better performance and security, you can use NoMachine's NX free server and clients, or those from FreeNX—more advanced configuration is required though. It's also possible to support RDP connections to Linux machines; for example, by using the xrdp server. RDP uses TCP port 3389 VNC uses TCP port 5900+ (Each remote connection to a server uses a different port; display 1 uses 5901, display 2 uses 5902, etc) It's best to define a port range when creating the firewall rule or exception, such as 5900 - 5905.

For GNU/Linux operating systems a shell account is the best option; you can find help in setting this up at and other sites.

Activating Remote Desktop Access on Ubuntu Open the desktop System menu, select Preferences and click on Remote Desktop

When this option “Allow other users to control your desktop “ is disabled, the remote user can see what is happening on the desktop, but is unable to interact with it using the keyboard and mouse. Require the user to enter this password - Specifies a password which must be entered by the remote user to access your desktop. It is strongly advised that you select this option and specify a password.

Note: Accessing a Remote Ubuntu Linux Desktop using Vinagre There are both secure and insecure methods for accessing a remote desktop.Connection to the remote desktop may be performed by running either the vncviewer tool, or the newer vinagre on the system from which the remote desktop is to be accessed. On Ubuntu systems, vinagre is installed by default. On other systems, however, it may need to be manually installed. For example to install vinagre on a Fedora system, execute the following command in a terminal window:

su yum install vinagre To access a remote desktop, open a terminal window and enter the command specified in the Remote Desktop Preferences dialog, for example:

vinagre hostname:0

Details of the advanced configuration options are as follows: Only allow local connections - Only allows remote desktop connections to be established from the local system. This essentially disables access from remote systems. Use an alternate port - Remote Desktop access requires the use of a TCP/IP port. By default a port will be assigned to the current connection starting at port 5900. If an alternate port is required, select this option and specify the required port. Disable the wallpaper when connected - A key objective of remote desktop access is to minimize the volume of network traffic involved in projecting the desktop to the remote user. If the desktop currently has a wallpaper image defined (in other words the background of the desktop) this will result in a considerable amount of additional network traffic. This option switches the desktop wallpaper to a plain background to reduce bandwidth usage thereby speeding the desktop presentation. Require encryption - As previously mentioned, remote desktop access may be established using both secure and insecure mechanisms. When selected, this option enforces the use of secure, SSH based, connections when accessing the desktop remotely. Lock screen on disconnect - Causes the desktop screen lock to be engaged automatically when the remote desktop connection is disconnected. This ensures that the next user to connect to the desktop will be required to enter a password to gain access. Always display icon - Causes the remote desktop icon to appear in the Notification area of the top status bar when remote desktop access is enabled (even when a remote user is not connected).

Only display an icon when there someone is connected - Displays an icon on the Notification area of the top status bar when a user is remotely connected to the desktop. Never display an icon - The Notification icon is never displayed regardless of the current state of the remote desktop system.

Connecting from Ubuntu Machine Go to Applications--->Internet--->Remote Desktop Viewer once it opens you shold see similar to the following screen and If you want to connect remote PC click on connect from top menu.

Enter you remote host or if you click on find

Now it should automatically detect the available remote desktops select your remote PC and click ok

You can see the remote host details and port number click on connect and then enter the remote host password to connect and click ok

Now you should be able to connect your remote desktop.In intrepid we have more security options to choose like you can encrypt complete session.

The following figure illustrates a vinagre session running on a Fedora system attached to a remote desktop running on Ubuntu. Note that only part of the remote desktop is displayed. The entire desktop may be viewed by clicking on the Full Screen toolbar button.

Connecting from Windows Machine If you are trying to connect from your windows machine you need to install vncviewer of your choice i have installed from here .Install this program once you install

this you can opem from start—>All programs—>RealVNC—>VNC Viewer 4—>Run VNC Viewer once it opens you should see the following screen here enter the remotemachine ipaddress:0 format and click ok.Now it will prompt for password enter your password and click ok Now on the remote machine you should see the following screen asking for permission to allow this connection you need to click on allow this will come up only if you tick “Ask you for confirmation” option under sharing. Alternativly, it is possible to use TightVNC to connct Windows, Ubuntu to each other For further information see:

Tunneling the remote desktop through a secure shell (SSH) connection In order for a system to accept SSH connections the system must first be running the SSH server. By default, Ubuntu does not install the SSH server so the first step is to ensure that the server is installed. This can be performed using either the Synaptic Package Manager or the apt-get command-line tool. To install using the Synaptic Package Manager, select the System desktop menu and then click on Synaptic Package Manager in the Administration sub-menu. Enter your password when prompted to do so. Click on the Search button in the toolbar and search for openssh-server. After the search completes, you will see openssh-server in the package list. Simply click on the check box next to this item and follow the instructions to install the SSH server package. When you are ready to initiate the installation, click the Apply button in the Synaptic toolbar. To install from the command line, begin by opening a terminal window by selecting the Applications menu and selecting Terminal from the Accessories menu. In the terminal window enter the following command and press enter to execute it: sudo apt-get install openssh-server The installation process will download the SSH server, install it and start the service running in the background. You may now attempt to connect from a remote system (see below for details of how to do this). If you receive a "connection refused" message when you try to connect you may need to configure the firewall to allow SSH connections to be established to this system. See:

Once the SSH server is installed and active it is time to move to the other system. At the other system, log in to the remote system using the following command, which will establish the secure tunnel between the two systems: ssh -L 5900:localhost:5900 hostname In the above example, hostname is either the host name or IP address of the remote system. Log in using your account and password. The secure connection is now established and it is time to launch vncviewer so that it uses the secure tunnel. Leaving the ssh session running in the other terminal window, launch another terminal and enter the following command to use vncviewer: vncviewer localhost::5900 Alternatively, to use vinagre: vinagre localhost:5900 The vncviewer session will prompt for a password if one is required, and then launch the corresponding viewer providing secure access to your desktop environment. If you are connecting to the remote desktop from outside the firewall keep in mind that the IP address for the ssh connection will be the external IP address provided by your ISP, not the LAN IP address of the remote system (since this IP address is not visible to those outside the firewall). You will also need to configure your firewall to forward port 22 (for the ssh connection) to the IP address of the system running the desktop. It is not necessary to forward port 5900. Steps to perform port forwarding differ between firewalls, so refer to the documentation for your firewall, router or wireless base station for details specific to your configuration.

Secure Remote Desktop Session from a Windows System First run putty and then enter the IP address or host name of the remote host (or the external IP address of the gateway if you are connecting from outside the firewall). The next step is to set up the tunnel. Click on the + next to SSH in the Category tree on the left hand side of the dialog and click on Tunnels. The screen should appear as follows:

Enter 5900 as the Source port and localhost:5900 as the Destination and click on Add. Finally return to the main screen by clicking on the Session category. Enter a name for the session in the Saved Sessions text field and press save. Click on Open to establish the connection. A terminal window will appear with the login prompt from the remote system. Enter your user login and password credentials. The SSH connection is now established. Launch the TightVNC viewer and enter localhost::5900 in the VNC Server text field and click on Connect. The viewer will establish the connection, prompt for the password and then display the desktop. You are now accessing the remote desktop of a Linux system on Windows via a secure tunnel.

Find more information here:

For Windows operating systems the build-in remote desktop feature should be used. You can find instructions for this at You may also have to change port forwarding settings on the router box you use to connect to the Internet; this is explained on Another solution for remote access is the free tool TeamViewer ( which is available for all operating systems. Portable version of team viewer is available here: Other intresting portable software for remote controlling computers over the network:

ShowMyPC: ShowMyPC utilizes remote access technology in conjunction with a SSH forwarding client, enabling a user to Share Their Desktop using only a password. No Need to hand out your IP address. The remote user uses the viewer built right into the same software to access your Desktop.

TightVNC: TightVNC is a popular Open Source VNC Viewer that can be stored and run as a Portable VNC Viewer. Virtual Network Computing (VNC) enables a user to view the desktop of a remote machine and control it with the mouse and keyboard from a local machine as if you were sitting right in front of the remote computer. You can access a Linux remote desktop from a Windows system the first step is to install a Windows VNC client on the Windows system Note: TightVNC does save its changes back to the registry. So if you must avoid leaving any traces behind on the host PC, you'll need to delete these entries when you finish using the tool:


ZeroRemote: ZeroRemote is a free tiny Portable Remote Desktop Application containing both client and server utility in a single easy to use Remote Desktop Tool. The ZeroRemote Remote Desktop Utility uses minimal system resources and supports fully encrypted remote desktop control, transfer of files, remote audio playback, and more. DirectX is used for rendering and transferred files are automatically placed in the recv subfolder.

NeoRouter: it is a Free Portable is a Freeware Remote Desktop Client created by NeoRouter Inc. It can be used for Remote Desktop, Folder Sharing, Printer Sharing, Chat and more. It supports Windows, Linux, and Mac computers. NeoRouter Free is the Server software provides the "Virtual Private Network (VPN)" and will need to be installed on computers that you will be connecting to. NeoRouter Free Portable is the client you will use to connect to those machines.

Comparing notes The basic technique for documenting network censorship is to try to access a huge number of network resources, such as a long list of URLs, from various places on the Internet and then compare the results. Did some of the URLs fail to load in one place but not in another? Are these differences ongoing and systematic? If you have a reliable circumvention technology such as a VPN, you can do some of these experiments by yourself, by comparing how the net looks with and without circumvention. For example, in the United States, this was the method used to document how ISPs were disrupting the use of peer-to-peer filesharing software. These comparisons can be done with automated software or by hand.

Packet sniffing
If you become familiar with the technical details of how Internet protocols work, a packet sniffer like Wireshark ( will let you record the actual network packets that your computer transmits and receives.

Dealing with Port Blocking
Network firewalls can be used to block all communications that are directed to a particular port number. This can be used to try to prevent the use of a particular protocol or kind of network software. To try to circumvent these restrictions, ISPs and users could arrange access to services at non standard port numbers. This allows software to circumvent simple port blocking. Many software applications can easily be made to use non standard port numbers. URLs for web pages have a particularly convenient way of doing this right inside the URL. For example, the URL would tell a web browser to make an HTTP request to on port 8000, rather than the default http port 80. Of course, this will only work if the web server software on is already expecting requests on port 8000. Testing for port blocking You can test which ports (if any) are blocked on your connection using Telnet. Just open a command line, type "telnet 5555" or "telnet 5555" and press Enter. The number is the port you want to test. If you get some strange symbols in return, the connection succeeded.

If, on the other hand, the computer reports that the connection failed, timed out, or was interrupted, disconnected, or reset, that port is probably being blocked. (Keep in mind that some ports could be blocked only in conjunction with certain IP addresses.)

File sharing technology
File sharing is the practice of distributing or providing access to digitally stored information, such as computer programs, multimedia (audio, images and video), documents, or electronic books. It may be implemented through a variety of ways.Common methods of storage, transmission and dispersion include manual sharing utilizing removable media, centralized servers on computer networks, World Wide Web-based hyperlinked documents, and the use of distributed peer-to-peer networking.

File hosting service
File hosting service, online file storage provider, or cyberlocker is an Internet hosting service specifically designed to host user files. It allows users to upload files that could then be downloaded by others. Typically, the services allow HTTP and FTP access. Related services are content-displaying hosting services (i.e. video, image, audio/music), virtual storage, and remote backup. Some online file storage services offer space on a per-gigabyte basis, and sometimes include a bandwidth cost component as well. Usually these will be charged monthly or yearly. Some companies offer the service for free, relying on advertising revenue. Some hosting services do not place any limit on how much space your account can consume. Some services require a software download which makes files only available on computers which have that software installed; others allow users to retrieve files through any web browser. With the increased inbox space offered by webmail services, many users have started using their webmail service as an online drive. Some sites offer free unlimited file storage but have a limit on the file size. Here are most importat document sharing websites: 1. 2. 3. 4. 5.

Here are the 15 Most Popular File Sharing Sites as derived from our eBizMBA Rank which is a constantly updated average of each website's Alexa Global Traffic Rank, and U.S. Traffic Rank from both Compete and Quantcast

One-click hosting, sometimes referred to as cyberlocker, generally describes web services that allow internet users to easily upload one or more files from their hard drives (or from a remote location) onto the one-click host's server free of charge. Most such services simply return a URL which can be given to other people, who can then fetch the file later on. In many cases these URLs are predictable allowing potential misuse of the service. As of 2005 these sites have drastically increased in popularity, and subsequently, many of the smaller, less efficient sites have failed. Although one-click hosting can be used for many purposes, this type of file sharing has, to a degree, come to compete with P2P filesharing services. Some of this service uses for sending download link of larg files to emails. The sites make money through advertising or charging for premium services such as increased downloading capacity, removing any wait restrictions the site may have or prolonging how long uploaded files remain on the site. Many such sites implement a CAPTCHA to prevent automated. downloading. Several programs aid in downloading files from these one-click hosters; examples are JDownloader, Tucan Manager and CryptLoad. Here are Most Popular One-click hosting web-Sites: Maximum Filesize: 400 MB Maximum Filesize: 2024 MB Maximum Filesize: 100 MB Maximum Filesize: 2024 MB Uknown (needs activeated java) Maximum Filesize: 2024 MB Maximum Filesize: 2024 MB Maximum Filesize: 500 MB Store files up to 25GB for free Maximum Filesize: 2024 MB Unlimited Maximum Filesize: 2024 MB Maximum Filesize: 100 MB Maximum Filesize: 100 MB Maximum Filesize: 2024 MB Maximum Filesize: 150 MB Maximum Filesize: 1GB Maximum Filesize: 100 MB Unlimited Unlimited Unlimited Maximum Filesize: 500 MB Unlimited Unlimited Maximum Filesize: 5GB Maximum Filesize: 20MB Maximum Filesize: 100MB

BitTorrent (protocol): P2P file sharing
BitTorrent is a peer-to-peer file sharing protocol used for distributing large amounts of data over the Internet. BitTorrent is one of the most common protocols for transferring large files and it has been estimated that peer-to-peer networks collectively have accounted for roughly 43% to 70% of all Internet traffic (depending on geographical location) as of February 2009. As of January 2012 BitTorrent has 150 million active users according to BitTorrent Inc. Based on this the total number of monthly BitTorrent users can be estimated at more than a quarter billion. At any given instant of time BitTorrent has, on average, more active users than YouTube and Facebook combined. The BitTorrent protocol can be used to reduce the server and network impact of distributing large files. Rather than downloading a file from a single source server, the BitTorrent protocol allows users to join a "swarm" of hosts to download and upload from each other simultaneously. The protocol is an alternative to the older single source, multiple mirror sources technique for distributing data, and can work over networks with lower bandwidth so many small computers, like mobile phones, are able to efficiently distribute files to many recipients. A user who wants to upload a file first creates a small torrent descriptor file that they distribute by conventional means (web, email, etc.). They then make the file itself available through a BitTorrent node acting as a seed. Those with the torrent descriptor file can give it to their own BitTorrent nodes which, acting as peers or leechers, download it by connecting to the seed and/or other peers. The file being distributed is divided into segments called pieces. As each peer receives a new piece of the file it becomes a source (of that piece) for other peers, relieving the original seed from having to send that piece to every computer or user wishing a copy. With BitTorrent, the task of distributing the file is shared by those who want it; it is entirely possible for the seed to send only a single copy of the file itself and eventually distribute to an unlimited number of peers. Each piece is protected by a cryptographic hash contained in the torrent descriptor. This ensures that any modification of the piece can be reliably detected, and