GoogleSharing, Now With No Trust Required 152
An anonymous reader writes "GoogleSharing, the popular Google anonymizing service created by well known privacy advocate and security researcher Moxie Marlinspike, has released a major new version today. The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing. This means that anyone who wishes to opt out of Google's data collection practices can now do so without having to trust the operator of the anonymizing service."
Suddenly, it doesn't feel like '1984' anymore! (Score:2)
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:5, Insightful)
A great day for liberty!
That is of course until someone in washington decides it's a security risk because terrorists could use it to plan their attacks. You know that will happen.
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:5, Insightful)
The worst part is, they're right. As it turns out, the exact same kinds of privacy we want for the right reasons, the bad guys want for the wrong reasons.
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:4, Interesting)
I would think the same privacy they want for the right reasons you want for the right reasons. To be able to have privacy.
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:5, Insightful)
Re: (Score:2)
The problem there is that if there was ubiquitous monitoring of internet and email, how would you get in touch with the person on craigslist to arrange the purchase?
(somewhat pedantic paranoia, but it is a somewhat legit question!)
Re: (Score:2)
Re: (Score:2)
I agree wholeheartedly.
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:5, Insightful)
We already decided as a nation, over 200 years ago. I'm not having a hard time walking the line between freedom and oppression, nor is anyone else who is not in a position to lose power if freedom wins. Ben Franklin was right.
Re: (Score:2)
We already decided as a nation, over 200 years ago.
No we didn't.
http://books.google.ca/books?id=lmXIMZiU8yQC&pg=PA155&lpg=PA155&dq=latent+ambiguities+lessig&source=bl&ots=wR-XRpD40t&sig=uFZTqE_jsB4FiJ5EKJclyZuaNto&hl=en&ei=AoOqTMnfDYuosQPu2p3aAw&sa=X&oi=book_result&ct=result&resnum=1&ved=0CBQQ6AEwAA#v=onepage&q=latent%20ambiguities%20lessig&f=false [google.ca]
Re: (Score:2)
Ah the ever quotable Ben Franklin, While I agree with your sentiment other people have other views:
"The constitution is not a suicide pact"
Robert H. Jackson
-Supreme court justice
Re: (Score:2)
Ben Franklin was right about a LOT of things, like Electricity. As was Thomas Jefferson about a great many things. They don't teach these fundamentals in schools now because corporations have decided it is against their better interest.
All this IP law is totally disgusting. That's another thing Ben Franklin was right about.
Re: (Score:2)
I'm happy that my daughter is too young to understand what's going on in the world. I guess ignorance is bliss but once you become aware of reality it's hard to go back to ignorance again.
Ignorance is bliss, regardless of age.
Just last year I explained all this Internet privacy concern to my father. I don't think he liked what he learned. Sometimes I really do wish I were just another one of the happy-go-lucky sheeple, because, given the state of the world, "being aware" is just so damn depressing.
There's this choice ... "if you had to choose, would you rather be smart or happy?" After having given that some thought, I'm convinced smarts has a negative impact on happiness. :-(
wisdom from Kennedy (Score:2)
Just last year I explained all this Internet privacy concern to my father. I don't think he liked what he learned. Sometimes I really do wish I were just another one of the happy-go-lucky sheeple, because, given the state of the world, "being aware" is just so damn depressing. ... "if you had to choose, would you rather be smart or happy?" After having given that some thought, I'm convinced smarts has a negative impact on happiness. :-(
There's this choice
Perhaps, but the bliss of the ignorant will endure only as long as there are enough smart and educated people resisting the many tendencies to drive everyone into servitude and constraint.
"Liberty without learning is always in peril; learning without liberty is always in vain." - J.F.Kennedy, 18 May 1963.
Liberty and learning go hand-in-hand. Separate them, and you lose both.
Re: (Score:2)
"if you had to choose, would you rather be smart or happy?" After having given that some thought, I'm convinced smarts has a negative impact on happiness. :-(
Lisa Simpson on Happiness vs Intelligence [flowingdata.com]
Re: (Score:2)
Re: (Score:2)
I guess what I'm saying is, one should probably take the forget-it-coloured pill *unless* one has the stamina to go and change all that's wrong in the world. Otherwise, misery.
Re: (Score:2)
Re: (Score:1)
They also have no idea who those people are, so that information in their archives is worthless.
I'm probably earning a "whoosh" here, tho.
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:4, Informative)
Re: (Score:3, Interesting)
Grammar and spelling as a virtual fingerprint...
I don't believe anything could go wrong at all.
In any event, I am afraid it is time to unveil your true identity using the grammar and spelling footprint technique. I say to you Mr. Abraham Lincoln... how does it feel to be unmasked by your own musings!
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:5, Funny)
Oh gods... as one of the three people on the internet that knows the difference between "lose" and "loose," they'll have no problem tracking me down!!!
Re: (Score:2, Funny)
Re: (Score:2)
Come on, don't loose your temper over this, you just need to lose your pants a little and relax. Everybody knows the difference between lose and loose, it's really obvious. One has 2 o's in it, but they both mean the same thing... really.
Re: (Score:2)
Quoth: "but they both mean the same thing... really."
No they do'nt!!!! And your a looser if you beleive that.
Heh, I always do'nt not feel better after Ive' losed of some energy.. As if I could care less. ;-)
Re: (Score:2)
The'y do mean the same thing! Look it up! It's in the dictionary! And all!
Their are many comon uses' of the word loose, the most comon is the same as lose. Identical! Word' for... word!
Re: (Score:2)
Re: (Score:2)
I see you good Sir, went to Harvard. I'm more of a Brown man myself. I say good day to you!
Re: (Score:2)
Don't worry. Neither I or the other person works for a TLA.
Re: (Score:2)
> I don't believe anything could go wrong at all.
Advertisiers, who are the only ones Google cares about, can tolerate quite a bit of inaccuracy in their targeting. All that they are going to do with "fingerprinting" is cluster searches together as probably having come from the same person. Being wrong 10% of the time is no great loss to them. To me "targeted" ads are of no consequence at all as I see no ads anyway
Re: (Score:1)
do you know how instant search works? (Score:4, Interesting)
they pass each keystroke in real time to the servers.
go ahead, type carefully..
they'll see each letter as typed and "fingerprint" you that way
the typing speed and corrected mispellings even without you hitting 'search'
Re: (Score:1)
Not if you block JavaScript.
Re: (Score:2)
> just type it all out in another window (text editor would be easiest), proof it carefully, then copy/paste.
Or even easier, use the built-in search entry bar in Firefox (to the right of the location bar). It only gets transmitted when you hit Enter or click on the magnifying glass icon. Couple that with the Scroogle Firefox add-on and you're searching anonymously and SSL-encrypted (FWIW):
https://addons.mozilla.org/en-US/firefox/addon/12506 [mozilla.org]
Always wondered though, if you can still do an anonymous search i
Re:Suddenly, it doesn't feel like '1984' anymore! (Score:4, Interesting)
That will all get noted and linked back to a friend of a friend of a friend who has been flagged as a person of interest.
http://webcache.googleusercontent.com/search?q=cache:5jex52BhXYEJ:wikileaks.org/wiki/EU_social_network_spy_system_brief,_INDECT_Work_Package_4,_2009+INDECT+Work+Package+4&cd=1&hl=en&ct=clnk [googleusercontent.com] as
http://wikileaks.org/wiki/EU_social_network_spy_system_brief,_INDECT_Work_Package_4,_2009 [wikileaks.org] seems to be down. The NSA/GCHQ ect dont care where/how the text comes from, public/private/mirrored ect, just keep it in flowing in a usable form. Add in voice chat too
Re: (Score:2)
"Bam" what?
Re: (Score:3, Interesting)
Re: (Score:3, Interesting)
There is still man-in-the-middle attack (Score:3, Interesting)
Isn't there?
Re: (Score:2, Informative)
The content is SSL protected, so not unless the GoogleSharing proxy operator has an SSL exploit.
Re: (Score:2)
Unless GoogleSharing is playing the attack.
Re: (Score:2)
If the traffic goes through GoogleSharing, then it is the man in middle who can obtain knowledge of the session keys easily, and therefore can see all traffic.
Re: (Score:3, Insightful)
You don't know how SSL works do you?
Actually, I'm not really sure why I phrased that as a question. You don't. To get started, look up public key cryptography.
Re: (Score:2)
This is really laughable.
I suggest you understand what is man-in-the-middle-attack [wikipedia.org] first.
Re: (Score:2)
What do you think the entire purpose of SSL is? Educate yourself: [wikipedia.org]
You can't man-in-the-middle shit if you can't break RSA, or don't have google's private key. Read up on this shit before you make yourself look even more of a fool. Ignorance is forgiveable but actively avoiding the truth is not.
Re: (Score:2)
Why don't you read up on how SSL works? Or hell, just read up on what it's even meant for. The only reason it is used is because people assume other people are going to try exactly as you suggest. It is all about establishing secure connections over insecure ones. The assumption that there is somebody between you and the party you're talking about is implicit.
Googlesharing can't read your traffic because it's encrypted. You can confirm that it's encrypted, and encrypted by and only by google, by checki
Re: (Score:3, Insightful)
Here's the quick rundown:
You contact Google's server through the proxy, and the server sends you Google's public key. This key isn't secret, so it doesn't matter if the proxy gets it, too.
Now you use their public key to encrypt a message telling them the symmetric encryption key you want to use for the rest of the communication. Only Google can decrypt that message, so only you and Google will know the key to use to decrypt the rest of your communications.
A man in the middle attack is only possible if Googl
Re: (Score:2)
It is sure as hell better than the alternative, which is nothing. The only provably secure crypto are OTPs, and that won't get you a secure key exchange on an insecure network.
All other ciphers are liable to fall to future discoveries.
Re: (Score:2)
It's not just because key exchange is difficult... secure key exchange with a OTP is impossible unless both parties already have the same pad.
But hey, lets consider that it's possible to exchange a 256bit AES key provably securely with a OTP with somebody you don't have prior arrangements with. What are you going to do next, use AES? All your provable security is for naught if you do that!
Do you know what size OTP you need to transmit a 1 MB OTP? 1 MB.
Due to the very well established and mathematically
Re: (Score:2)
The result is that Google knows what is being searched for, but doesn't know where the requests are coming from. The GoogleSharing proxy can tell where requests are coming from, but can't tell what the content of the requests is.
It's like Heisenberg's Uncertainty Principle for the internet!
Re: (Score:2)
Re: (Score:2)
Such insolence! That "little banner" is the very thing that makes them hacker-proof!
Re: (Score:1)
The man-in-the-middle is there, but he can't do anything, because of the way SSL works. There is not man-in-the-middle attack. Very good question though!
Why not just not have a Google account? (Score:2)
Google search and news work fine without one.
Re: (Score:2)
Don't think that just because you haven't got an account, they haven't got an "account" on you.
Re: (Score:2)
That would be a silly waste of their resources.
Re:Why not just not have a Google account? (Score:4, Insightful)
You do know what Google's business model is, right?
Re: (Score:2)
Google is an advertising agency. I see no ads.
Re: (Score:3, Insightful)
I'm certain there are statistical techniques that can be used to tie separate unique, "unrelated" sessions back together when they come from the same user. Some websites expose their account usernames to Google, which can provide near-sure matches.
Certain users habitually use Google to get to their favourite sites because it's literally quicker than typing a URL, and many of those probably use the same abbreviations for those sites each time. My ex-girlfriend used to get to Facebook by typing "face" into Go
Re: (Score:1)
I imagine you're still tracked by your IP address, by cookies, and/or any other methods I don't know about.
Re: (Score:2)
> I imagine you're still tracked by your IP address...
Dynamic. They might be able to tie clusters of my searches together that way. So what?
> ...by cookies...
No cookies, no scripts.
> ...and/or any other methods I don't know about.
Which would be just as likely to work through this thing. Browser fingerprinting would be one such. It would let them tie all of my searches together. So what?
Re: (Score:1)
What about cookies and IP address?
Dosnt Support Google Chrome (Score:2, Funny)
I do all my browsing in Google Chrome and don't want Google to know about me when I use my Gmail, Google Voice, Google Transit, Google Maps, or just plain Google. The fact that it's only supported in firefox doesn't help out people like me.
Re: (Score:1, Informative)
> and don't want Google to know about me when I use my Gmail, Google Voice, Google Transit, Google Maps, or just plain Google
If it requires you to be logged in (such as Gmail), GoogleSharing doesn't help you. This is intended for Google services that can track you without an account, such as search.
Re: (Score:1, Informative)
Is this sarcasm? By virtue of using personalized login-required services like Gmail and Voice, you cannot hide information about you.
Chrome users can install these two Google extensions for further privacy:
Disclaimer: These two extensions rely on you trusting Google. Neither of them achieve what TFA intends to do.
Re: (Score:2)
If you really hold such distrust for google that you need to jump through all these hoops perhaps you should use the services of another company instead.
Other search engines are available.
Re: (Score:2)
> Other search engines are available.
Bing?
Trademark issues* (Score:1)
While I appreciate (the existence of) the service, methinks this is a trademark suit just begging to happen. I mean take a look at their logo [googlesharing.net] [png graphic]. It really looks like an official Google site. In this age of massive information sharing, I have my doubts about patents and copyrights in general.
However with patents, I'd give the trademark owner the benefit of the doubt (you're not necessarily evil if you sue for trademark infringement), unless your trademark happens to be a pure (uncombined) dictio
My favorite part (Score:3, Informative)
Re: (Score:1)
Except in the browser extension, I guess ...
My God Google is really starting to scare me (Score:2)
I got an Android phone a month ago and that damned think does everything in its power to get you to enable "total information awareness" settings. Every time I use Google Maps I've got to proactively stop it from sharing my location information. Apps like this will be a blessing as soon as we see a more complete suite of pro-privacy variants come into being.
Re: (Score:2, Funny)
Google is your god? :-)
Re: (Score:2)
Yeah well. I'm on the Android platform myself, but have a more resigned approach because at some point the whole exercise becomes absurd. But then, I'm not really the target audience: I just wanted a modern pda, not a googlephone; sadly pda's don't exist any more. And even more sadly, the OpenMoko and similar truly open initiatives failed to produce a device that's workable in practice (the OM is awesome, but not exactly stable or long-lived).
Re: (Score:2)
Re: (Score:2)
It is turned off. My point is, it keeps trying to turn itself back ON!!! Thanks for your moronic anti-fanboy non sequitor, though.
Yo Dawg! (Score:2)
Yo Dawg! I heard you anonymize the non-anonymous SSL, so now anonymous can opt-out and be an anonymize anonymous.
Re:No, not Really? (Score:5, Informative)
"The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing."
Kids today...
Re: (Score:2, Informative)
Re: (Score:1)
Re:No, not Really? (Score:5, Funny)
Let me refer you to the second sentence of the summary:
Look old man, if it was important, it would be in the FIRST sentence because that's how we kids do it these days even if it means run on sentences and now I'll get off of your lawn.
Re:No, not Really? (Score:5, Funny)
Bro, more than 140 characters? Gimmie a minute, I need to check like three other services.
Re: (Score:2)
Re:No, not Really? (Score:5, Interesting)
Let me refer you to the second sentence of the summary:
"The biggest change is leveraging Google's SSL search option to provide an anonymizing service which doesn't require you to trust either Google or GoogleSharing."
Wow.
You are right. That says I don't have trust google or googlesharing. ... assuming I trust the entity that makes that claim.
Oh. The entity making the claim that I don't need to trust GoogleSharing is GoogleSharing. Neat.
So if I don't trust googlesharing, why would my distrust be satisfied by the fact that they claim I don't need to trust them? That makes about as much sense as a fly asking the spider if he can take a nap on the web... the spider said he wasn't hungry... I guess there's nothing to worry about. :facepalm
Now, if you had instead referred me to the googlesharing FAQ:
http://googlesharing.net/faq.html#faq6 [googlesharing.net]
"If you're still worried, remember that the GoogleSharing addon and proxy code is publicly available. So it's possible for you to run a GoogleSharing proxy yourself, or to find someone who you do trust."
That's at least a step in the right direction. I can inspect and run the software on a server I do trust.*
And if I use the GoogleSharing servers, than I do still need to trust GoogleSharing to be running the software they claim to be running. I expect they are worthy of that trust but you still have to trust them unless you are running your own server after inspecting the source.*
** And you will need to find a bunch of people who trust YOU using your server for you to derive any privacy benefit from running your own server. Bit of a catch-22 there.
Re: (Score:3, Informative)
No you don't, that's the difference between this version and the previous version. (I know, I know, RTFS is for wimps...) Unless their servers are using a previously unknown SSL exploit* then all you need to do is make sure the cert is correct. That's the thing with SSL, you only need to trust the CA. For the same reason that you don't have to trust your ISP (and every s
Re: (Score:2)
Equivocate much?
Re: (Score:2, Insightful)
Well, you also have to trust the Firefox extension (or read and understand the code, and trust your ability to find issues if there are any).
Re: (Score:2)
Flowers would be nice...
Re:No, not Really? (Score:4, Funny)
Re:No, not Really? (Score:4, Insightful)
for that matter: Welcome to Slashdot, where people think scepticism is a good replacement for education and intelligence.
It seems like half the commenter here may have at least RTFS, but simply don't know what SSL is.
Re: (Score:2)
Welcome to slashdot, where people incorrectly [wiktionary.org] think there can be only one correct spelling for a word.
Re:Not a Rhetorical Question (Score:5, Informative)
From GoogleSharing's FAQ:
Why not use Anonymizer or any other anonymizing proxy service?
General purpose anonymizing proxies are designed for something else.
1. Most will mask your IP address, but not the identifying information in your HTTP headers. Google will still know who you are based on your Cookies, User Agent, etc...
2. If the proxy does attempt to anonymize HTTP headers, they will do it by completely stripping cookies from your request. Google does not like this, and will tag you as a SPAM bot (how convient for them to do), which will force you to type in a CAPTCHA every time you issue a Google search, and will prevent you from issuing Maps requests at all.
3. These types of proxies can be slow. It's not necessary to proxy all of your internet traffic if you're just trying to protect yourself from Google. Since GoogleSharing only proxies Google traffic, our bandwidth needs are much lower and thus our performance is much greater.
Re: (Score:2)
From GoogleSharing's FAQ:
Why not use Anonymizer or any other anonymizing proxy service?
General purpose anonymizing proxies are designed for something else.
1. Most will mask your IP address, but not the identifying information in your HTTP headers. Google will still know who you are based on your Cookies, User Agent, etc...
2. If the proxy does attempt to anonymize HTTP headers, they will do it by completely stripping cookies from your request. Google does not like this, and will tag you as a SPAM bot (how convient for them to do), which will force you to type in a CAPTCHA every time you issue a Google search, and will prevent you from issuing Maps requests at all.
3. These types of proxies can be slow. It's not necessary to proxy all of your internet traffic if you're just trying to protect yourself from Google. Since GoogleSharing only proxies Google traffic, our bandwidth needs are much lower and thus our performance is much greater.
For reference, Scroogle strips the headers, addressing GS's point #1, and then generates dummy cookies that prevent point #2 from being a problem. There's no noticeable difference in speed between direct Google and use of Scroogle, which like GS doesn't proxy non-Google traffic, and has a for efficient default search result screen than Google itself.
The other responses to my reasonable question (which got modded troll because...well I have no idea) actually pointed out meaningful differences, though. Scro
Re: (Score:2)
Numbers 1 and 2 are lies. Tor insists you should use the Torbutton add-on for Firefox in order to address these problems. Cookies from Tor-mode and non-Tor-mode are segregated from each other. So cookies work fine while using Google anonymously - I just tested it and there were no CAPTCHAs.
Re: (Score:2)
To refine this post's sibling, Scroogle sets an SSL between you and them, not you and Google, like GoogleSharing does (GS just anonymizes the encrypted connection).
Re: (Score:2)
Download extension. Unzip it. Read the code.
Who exactly do you need to trust?
Re: (Score:2)
Who exactly do you need to trust?
Ken Thompson? Reflections on trusting trust [bell-labs.com].
Re: (Score:2)
To any non US state/federal/hacker your text https to google I think?
Re: (Score:1)
I think it basically acts as NAT router: It makes your browser send the encrypted data to GoogleSharing, then GoogleSharing just replaces the IP addresses so that the destination is Google and the source is GoogleSharing. For the return packets the IP addresses are changed the other way, so you get the packet back from GoogleSharing. All other functionality (like not sending any information from your cookies or manipulating User Agent) can be implemented locally at your browser by the extension.
Disclaimer:
Re: (Score:2)
Anyway you look at it even if the proxy on offer is 100% safe, who is next door?
As for the " out-of-context quote" and the google MAC map making efforts, long term cookies, telco tracking ect it all its a pattern.
Re: (Score:2)