Wickr announces a firewall-circumventing tool to help beat national censorship regimes

Wickr, a private, secure messaging company, has teamed up with Psiphon (previously), a spinout from Citizen Lab (previously) to allow its users to communicate even when they are behind national firewalls. Read the rest

HTTPS Everywhere: Firefox plugin that switches on crypto whenever it's available

The Electronic Frontier Foundation and The Onion Router (TOR) project have teamed up to release a new privacy-enhancing Firefox plugin called HTTPS Everywhere. It was inspired by Google's new encrypted search engine, and it ensures that whenever you visit a site that accepts encrypted connections, your browser switches into encrypted mode, hiding your traffic from snoops on your local network and at your ISP. HTTPS Everywhere covers Google search, Wikipedia, Twitter,, Facebook, EFF, Tor, Scroogle, DuckDuckGo, Ixquick and other smaller search engines. It's still in beta (what isn't?) but I've been running it all morning with no negative side effects.

Encrypt the Web with the HTTPS Everywhere Firefox Extension

(Thanks, Hugh!)

Psiphon: critique from a crypto community member EFF, AT&T and Google all on the same side of this privacy fight ... What will happen to your crypto-keys when you die? Pirate Bay offering crypto tools to fight Swedish spying laws ... Scalia Scoffs at Calls for More Data Privacy Protection, Students ... Talking About AT&T's Internet Filtering on AT&T's The Hugh ... HOWTO protect your online privacy now that the Senate repealed the ... HOWTO use TOR to enhance your privacy Ada Lovelace Day hero: Cindy Cohn Read the rest

Grendel: free/open source software for protecting your cloud data

Marc Hedlund sez, "Wesabe just open sourced a project called Grendel that makes it easy for web apps to encrypt data using the user's login password, and only decrypt that data when the user is logged in. Let's say you're using a word processing web app and don't want your documents stored plaintext -- the web app could use Grendel to easily encrypt your docs for you, using OpenPGP. Log in and you can edit; log out and only you can get at the data again (since only you have your password). There are some hooks for encrypting with multiple keys if you want to share docs with selected other users on the system. Since people are throwing a ton of sensitive data in web apps these days I think having some tools to help make that safer would be a good thing."

Of course, data on web sites is usually shared with at least some other people in some way. Sometimes a user might want to share their information with the web site support staff, so the staff can help solve a problem or fix a bug. Or, the user might want to share their sensitive data with selected other users on the site, such as coworkers or family members. Grendel allows this, letting you encrypt data with multiple keys so that more than one user's password can gain access.

It's very easy to screw up when building a cryptography system -- check out Nate Lawson's excellent Google Tech Talk on common crypto flaws, or Matasano's Socratic dialog on similar topics, for a map of the pitfalls available to you, and us.

Read the rest

Lazyweb: turn the new version of Opera into an unstoppable grid of proxies for Iranians

Danny O'Brien's got a doozy of a lazyweb idea: "Here's a way to mash-up two of the most talked-about Internet issues today. Opera launched their web-server-in-a-browser, Opera Unite, today. Iranian protestors are looking for proxies to get around Iran's blocking.

So why not write a Opera Unite service that acts as a simple, quick-and-dirty proxy for Iranians? Danny O'Brien lays down the challenge."

Instead of a real http proxy (like Psiphon), the best implementation would simply let you append a URL to your Unite URL and get a website back, like "". That would get rid of handing over your cookies to an unknown third-party; it'd probably also discourage people using the service for private communications (no https, in Unite -- it'd be great if Opera fixed that!).

Maybe I'd also stick in a geoip check to make sure the incoming requests are coming from a known Iranian IP block, just so users could feel worthy that they're just catering to Iranians (you could pull them out of this free geolocation database). That way we wouldn't be creating a permanent global clunky, insecure proxy network -- or at least not until Iran recovers and starts its own phishing services.

I know I'm not a good enough JS programmer to pull this off, but the Unite JavaScript API certainly appears to permit cross-domain XMLHttp calls, and you can catch generic HTTP requests using'_request',somehandler,false);, so it is theoretically possible (and here I hand wave to the implementation Gods).

wanted: spartacus, an opera unite web proxy for iran

(Thanks, Danny! Read the rest

Psiphon: critique from a crypto community member

Yesterday, I blogged about a new for-profit 'net censorship evasion tool called Psiphon. A member of the anonymity development community reached out with concerns. I'm blogging them here in the interest of presenting the full range of views on this subject from people in the community.

I see that Boing Boing is discussing Psiphon. This greatly concerns me because of their lack of transparency and accountability. Psiphon imply (but refuse to state explicitly) that they are in the anonymity business, yet they do not even have a publicly stated privacy policy. They are vague about their security claims and, even assuming good faith, have not disclosed any useful information on their security model and implementation.

Aside from the fact that they are, as a for-profit company handling personal information, required under Canadian law to disclose their privacy policy, this lack of transparency leaves me with serious concerns about their motivations and competence. This is especially troubling when one considers that their entire product is essentially a centrally administered proxy run with software unknown to the users. What do they store? What do they claim? How can we verify? Nothing? Something? Everything?

To sign up for their service, one either has to know Psiphon or know someone who uses Psiphon; this necessarily requires a knowledge of relationships on their part. For many users, I suspect this is a minor risk that seems remote until one again considers that this is a for-profit company. Do they promise to do anything with any of this data?

Read the rest

New Web Censor Evasion Toolkit Launches: Psiphon

Update: Here's a critique of Psiphon from a crypto expert.

Mentioned in a NYT article by John Markoff about tools such as Tor used in places like China and Iran to route around internet censorship, this word of a new browser-based toolkit.

Political scientists at the University of Toronto have built yet another system, called Psiphon, that allows anyone to evade national Internet firewalls using only a Web browser. Sensing a business opportunity, they have created a company to profit by making it possible for media companies to deliver digital content to Web users behind national firewalls.

The danger in this quiet electronic war is driven home by a stark warning on the group's Web site: "Bypassing censorship may violate law. Serious thought should be given to the risks involved and potential consequences."

Psiphon is here, and on Twitter. Here's a snip from their launch press release:

At the heart of the new venture is Psiphon's Managed Delivery Platform (MDP), in which large-scale producers of content push their media through Psiphon's proprietary cloud-based system to consumers in denied environments.

On the user end, the free service is encrypted, requires no software to download, is multimedia capable, and can even work through mobile smart phone platforms, such as the iPhone.

Users can sign on to Psiphon in a variety of ways: through email invites from trusted friends and colleagues, for example, or through Psiphon's innovative "right2know" technology, which allows media producers to show consumers in censored environments content which is not available to them.

Read the rest

Surveillance of Skype Messages in China Documented in New Report UPDATED

Ron Deibert of the University of Toronto's Citizen Lab says,

The first Information Warfare Monitor/ONI Asia major investigative report has been released -- Breaching Trust: An analysis of surveillance and security practices on China's TOM-Skype platform, written by Nart Villeneuve, Psiphon Fellow, the Citizen Lab, at the Munk Centre for International Studies, the University of Toronto.

John Markoff of the New York Times has just released a story about the report: Surveillance of Skype Messages Found in China.

Major Findings of this report are as follows:

* The full text chat messages of TOM-Skype users, along with Skype users who have communicated with TOM-Skype users, are regularly scanned for sensitive keywords, and if present, the resulting data are uploaded and stored on servers in China.

* These text messages, along with millions of records containing personal information, are stored on insecure publicly-accessible web servers together with the encryption key required to decrypt the data.

* The captured messages contain specific keywords relating to sensitive political topics such as Taiwan independence, the Falun Gong, and political opposition to the Communist Party of China.

* Our analysis suggests that the surveillance is not solely keyword-driven. Many of the captured messages contain words that are too common for extensive logging, suggesting that there may be criteria, such as specific usernames, that determine whether messages are captured by the system.

As my colleague Rafal Rohozinski and I say in the foreword to the report, "If there was any doubt that your electronic communications -- even secure chat -- can leave a trace, Breaching Trust will put that case to rest.

Read the rest

University of Toronto releases censor-busting app

The University of Toronto's Citizen Lab has just release Psiphon, a censorship-defeating program. Like EFF's Tor, Psiphon uses ordinary users' computers as re-routers for Web requests, bouncing requests for blocked and censored material to computers outside the censorwall.

The code for psiphon is announced as being released under the GPL, the most common and preferred open/free license, but I couldn't find a source repository. The download page says that the code is licensed under the "psiphon code license (GPL)," which makes no sense to me. It also contains a lengthy "agreement" that you have to enter into to get at the download that seems a little off-kilter for GPL'ed code. They just launched -- maybe they'll clarify this soon (or take down the notice that this is all under GPL).

What is psiphon?

psiphon is a censorship circumvention solution that allows users to access blocked sites in countries where the Internet is censored. psiphon turns a regular home computer into a personal, encrypted server capable of retrieving and displaying web pages anywhere

What are psiphonodes, psiphonode administrators and psiphonites?? A psiphonode is a psiphon server that is operated by an administrator residing in an uncensored country (this is an integration of 'psiphon' and 'Node'). The psiphonode administrator is responsible for creating and managing user accounts and running the psiphon server. A psiphonite is a psiphon user, residing within a jurisdiction that blocks arbitrary web sites, and utilizes a psiphonode residing in an uncensored jurisdiction.

How does psiphon work? psiphon acts as a "web proxy" for authenticated psiphonites, retrieving requested web pages and displaying them in a user's browser.

Read the rest