I’ve submitted a pull request over on the Known project git repo that allows you to specify a CURL proxy connect string (which has since been merged).

If specified, this connection string will make all web service and web mention calls be sent via a proxy server.

This was a relatively small change, but is useful in many ways – for example, for communicating through a corporate firewall. It is also provides a way of routing Known to Known communication over TOR.

Why would you want to do this?

Well, this is part of an ongoing effort to harden Known against the new attack realities we face on the internet in the 21st century.

One of the things that the Snowden documents have revealed, is that the bad guys are particularly interested in harvesting everyone’s social graph – who knows who – so that they can, among other things, automate guilt by association.

Going to some lengths to hide this information from an attacker sitting on the wire, is therefore, a prudent thing to do.

Ok, how?

  • Install the TOR proxy on your server; this may just be as simple as typing apt-get install tor.
  • By default the tor package only installs the client, so you’ll need to modify the config to open up a SOCKS relay.
  • Next, tell your known site to use this relay; open your config.ini and set the proxy_string:
proxy_string = 'socks5://path.to.tor.proxy:9100'

Gotchas

Routing over TOR is only part of the solution of course. For the communication to be properly safe, you should also encrypt the communication using HTTPS.

Unfortunately, whether a connection is conducted over encrypted HTTPS or not is largely up to your friend’s webserver. But, you wouldn’t be silly enough to run unencrypted, right?

Given the numbers of nasty attacks that can be launched against an unencrypted web connection, the internet at large is now moving towards deprecating unencrypted port 80 HTTP. Google search results will now give preferential treatment to encrypted websites, so that’s another reason!

So, don’t be part of the problem. Have fun!

Today, Groklaw, a site responsible for, among other things, victory in the SCO patent troll attack on the Linux kernel, followed Lavabit and shut it’s doors. It did so because there is now no way to communicate securely on the internet; traffic is routinely intercepted, servers can be stolen and operators forced to reveal confidential sources.

This is the world we live in, and have been living in for a while now, but thanks to a whistleblower we are all forced to confront this reality.

So, as technologists, what can we do to protect ourselves and our loved ones?

Truth is there is no silver bullet, but that doesn’t mean we just give up and go home. While the technology is only a small part of the issue here, it is something that we as technologists and makers are in a position to do things about.

While we work to solve the political problems that have caused this current situation, I think that we need to work towards making cryptography ubiquitous. Analysis of some of the leaked material already suggests that if the level of cryptographic content was raised, it would raise the cost of analysis by government agencies to an impractical level, and at the very least we’d remove “use of encryption” as grounds for suspicion.

When we build systems we need to decentralise, so there’s no one server and operator to intimidate. We need to protect content and metadata, because who talked to whom, and where, is still sensitive information. We need to work on the UX of the systems that are available, so that cryptography isn’t something someone who just wants to use the computer needs to think about. Think of these sorts of things as safety equipment, like seat belts or airbags. They should just work, without the operator having a degree.

Don’t be this guy.

We needed to think about this stuff before the first sharpie hit the paper.

Coulda, shoulda, woulda….

In the mean-time, we need to use the tools that we have. Make security and cryptography ubiquitous. As technologists, we have the knowledge to protect ourselves (and if you’re not already, you’ve got no excuse), but we also have a duty to help our friends, neighbours and family as well.

So, encourage your friends to use encrypted email and OTR messaging on IM, explain why it’s important while helping them install and use the plugin. Install HTTPS Everywhere on your mum’s computer. Talk to your neighbours about the dangers of the guilt by association fallacy in relation to communication metadata while installing the TOR browser bundle on their laptop.

You get the idea, friends don’t let friends use cleartext!