Internet > Security Issues > Anonymizers >

How Anonymizers Work

Anonymizer sites access the Internet on your behalf, protecting your personal information from disclosure. An anonymizer protects all of your computer's identifying information while it surfs for you, enabling you to remain at least one step removed from the sites you visit.

You can see some of the wide range of data that websites can read from your browser, including your IP address and other identifying information, at the following sites:

The following sections describe the two basic types of Internet anonymizers, networked design and single-point design, and their common common features.

Networked anonymizers. As their name suggests, this type of anonymizer transfers your communications through a network of Internet computers between you and the destination. For example, a request to visit a web page might first go through computers A, B, and C before going to the website, with the resulting page transferred back though C, B, and A then to you.

The main advantage of the networked anonymizer design is that it makes traffic analysis -- a vulnerability of single-point anonymizers -- much more difficult. For example, analysis of the incoming and outgoing traffic of a single-point anonymizer could note that communications with your machine, even though the contents are encrypted, are closely synchronized in time with the anonymizer site's unencrypted communications with some particular website. If ten times in a row your communication with the anonymizer is followed milliseconds later by a request from the anonymizer to a particular site, and that site's response to the anonymizer is followed milliseconds later by an encrypted communication to you, then it is a good bet you made a visit that site. More sophisticated anonymizer traffic analysis could also perform matching on communication sizing -- matching incoming unencrypted traffic to outgoing encrypted traffic based on size of the communications.

Protections that Internet anonymizers can use to mitigate the risk of traffic analysis include: (a) add small but random delays to the passage of responses back to the user to make time matching more difficult; (b) make random requests to random pages across the web to pollute the pool; (c) have a large number of simultaneous users to make analysis more difficult; and (c) have a large cache of web pages so not all incoming requests have outgoing requests. It is not known if any anonymizer uses techniques to protect against communications sizing traffic analysis, such as sending continuous streams of noise traffic to connected users to disguise the real responses.

In practice, only large organizations are usually capable of the Internet network traffic interception and analysis required for this sort of eavesdropping, and they may not be interested in you, so this risk may not be of concern for those doing everyday surfing. Nevertheless, many security experts are uncomfortable with the unknown extent of the traffic analysis vulnerability -- who knows if an anonymizer site is being tapped or not, by whom, and what is being done with the records? The networked anonymizer design meets this threat by passing your communications through a preferably random path of other computers. This design has advantages, but also disadvantages, summarized below:

  • Advantage. Complication of the communications makes traffic analysis likely prohibitively complex. An eavesdropper would have to put in place the equipment and programs to watch all of the computers in the anonymizer's Internet network, likely a fluid group distributed around the world, and then solve a much more complex analysis.
  • Disadvantage. Any multi-node network communications has some degree of risk at each node for compromise of confidentiality, with the risk linearly related to the number of nodes. Networked anonymizers have the same problem -- at each computer in the anonymizer chain there is a risk that it has already been compromised by the owner or an intruder and the communications can be tapped.

The first networked anonymizer system was Zero Knowledge Systems, which provided a multi-server network design and provided a range of confidentiality features. Although the company closed in the fall of 2001 due to lack of financing, it was influential as an example of the concept's feasibility, and led to the establishment of EFF's Tor a few years later, the only currently known networked anonymizer.

Single-point anonymizers. This type of anonymizer passes your surfing through a single website to protect your identify, and often offers an encrypted communications channel for passage of results back to the user. Single-point anonymizers offer less resistance to sophisticated traffic analysis described above than do networked designs, but they also provide a compensating simplicity, organizational familiarity, and apparent trustworthiness. You can access your favorite anonymizer website, type in your destination, and the anonymizer does your surfing for you and passes the results back to your browser. Many single-point anonymizers create an anonymized URL by appending the name of the site you wish to access to their URL, something like the following:

http://anonymouse.org/cgi-bin/anon-www.cgi/http://www.yahoo.com/

With single-point anonymizers, your IP address and related identifying information are protected by the arms-length communications and not transferred to the sites you visit. If you are using a secure channel to the anonymizer, as most services offer, then your communications to the anonymizer site are also confidential to any local eavesdroppers tapping your Internet line connection or service provider -- essential if you have reason to suspect a local tap.

Common features. Both networked and single-point anonymizers share a range of design features. Most importantly, once you access a web page through an anonymizer, the page is filtered so that all of its links are also anonymized. Therefore, you can just continue to click on links and stay in the anonymizer mode. Most anonymizers can anonymize at least the web (http:), file transfer protocol (ftp:), and gopher (gopher:) Internet services.

There is an overhead with use of anonymizers, and they can add a second or more of delay depending on how busy they are. Some anonymizers keep a local cache of several hundred megabytes of commonly accessed sites to address this problem, and so occasionally you can actually get faster access to a site through the anonymizer. Chaining of anonymizer services is not recommended, since it simply multiplies your risk to confidentiality by the number of services and computers in the chain.

Note that unless you use an encrypted mode to the anonymizer, all your communications are in the clear and can be intercepted anywhere on the way from your computer to the anonymizer. Most anonymizers now offer encrypted communications to solve this problem.

___