Privacy Defenses

Getting a little bit paranoid now ? Of course, most sysadmins will not touch your email, but maybe you'd still like to take some precautions.

Sniffing

To defend yourself against other people tapping your line, you need to make sure that they cannot read the stuff they tap. This can be achieved through encryption.
The most common methods include:

SSL - this is mainly used to protect webtraffic. It is build in your webbrowser. You can easily recognize if you're accessing a page using SSL at the url (https://) and at the sign your browser gives you. Netscape for example shows a little lock in the lower left corner. If this lock is closed you're being protected. When you click on the lock, you can view some more information about the page.
If you're buying anything online with your credit card number, have a look if the shop uses SSL first.

SSH - this is only interesting if you access only hosts remotely with telnet or rsh. ssh is a replacement for this which will also encrypt your session.
SSH is being made by SSH Inc
But you can also retrieve versions for various Operating Systemsn (including Windows) from here
IPsec - this is IP layer encryption, meaning it will protect all the traffic going in and out of your computer for example. You can only use this if the other side does so as well. This is useful if you want to access the office network from home or to protect the traffic between two seperate offices.
For linux you can use Freeswan
There's also a FreeBSD IPsec implementation.

Email

The same thing basically goes for Email. The most comonly used program to encrypt Emails is PGP. If you're inside the states you can get it from www.pgp.com, outside you can fetch it from www.pgpi.com

PGP used public key cryptography. This means that you do not have a single key (like a password) to encrypt your data. If you had any way to tell your friend in New York what this secret password is you might as well give him the whole message right away. Public Key Cryptography works with two different kinds of keys. One if your so-called secret-key, which you keep for yourself at all times. The other one is called public-key. The public-key can be given to anyone, put on a public keyserver or put up on your own homepage.

If you now want to send a message to your friend Bob in New York, you first get his public key (from bob himself, or from a keyserver) and encrypt yur message using this key. Then you send it to Bob. Only Bob can decrypt the message with his secret key. As you can see this secret key never has to be transmitted.

Maybe you're wondering how you can make sure that the public key you got is indeed Bobs. It might not be. In the so-called man-in-the-middle attack, your secret enemy E, intercepts Bobs public key when he first sends it to you and gives you his own public key instead. If you know encrypt the message to Bob with this key, E can decrypt it, read it, and then encrypt it again with Bobs real public key and pass it on to Bob. He could do this in both directions and you would never know that E is reading your email as well.

PGP has the option to sign keys. Say you know Carrol, who also knows Bob. Carrol has the public key of Bob, and since she received it from him in person, she's absolutely sure its valid. She can then sign this key with her own key. Say you also have the public key of Carrol and you're very sure about this, since she gave it to you at dinner last night. You can now use her public key to verify the signature on Bobs key. Since you know Carrol and trust her, you believe that this is Bobs real key.

This way you can circumvent the man-in-the-middle attack. This signature scheme can be extended until it forms the so-calle web of trust.
PGP also offers another feature. You can also use those signature to sign texts or emails. This way someone else can use your public key to make sure its really you who wrote this text.

Websites

Most of the dangers websites pose to your privacy can be avoided if you take a look at your browsers configuration. Make sure your browser is set not to give out your real name or your email address. You can also set your browser to ask you before accepting a cookie from a webpage.
There are also programs which help you manage cookies and make sure you don't tell the website where you're coming from. On of them is Junkbuster.
You can also find more information about cookies at www.cookiecentral.com.

12/04/1999 Stephanie Wehner