JonDo

from Wikipedia, the free encyclopedia
JonDo / Java Anon Proxy (JAP)
Basic data

developer Technical University of Dresden , University of Regensburg , JonDos
Current  version 00.20.001
(December 18, 2016)
operating system platform independent
programming language Java
category Web anonymizer
License BSD license
German speaking Yes
www.anonym-surfen.de , anon.inf.tu-dresden.de

JonDo is a web anonymizer that is being further developed by JonDos GmbH. The name is a reference to John Doe - the English placeholder name for unknown people. The service emerged from the Java Anon Proxy (since Java is a trademark of Sun Microsystems and could no longer be used, usually only the acronym JAP was used) of the AN.ON project , in which the Technical University of Dresden , the university Regensburg and the Independent State Center for Data Protection Schleswig-Holstein have researched. After the state funding for the project ended in 2006, some project employees founded JonDos as a start-up company and thus continued the service. JonDo is distributed as free software under the three-clause BSD license .

functionality

The user enters the local address of the JonDo client as a proxy server in the application to be anonymized (especially the web browser ). This client takes care of the communication with the mixes of the selected cascade - in particular, it takes over the necessary encryption . For this purpose, the client exchanges its own secret key with each mix of the cascade , so that the individual key is only known to exactly one mix and the client. With these secret keys, the data to be sent is now encrypted several times and this multi-encrypted data is sent to the first mix of the cascade. While this data now goes through the cascade, each mix decrypts this data with the secret key known to it. After the last mix has carried out this process, the plaintext data is visible to it (if there is no end-to-end encryption on it) and it sends it to the intended recipient. The receiver sends response data to the last mix in the cascade. The mixes encrypt the response data one after the other in the receiving direction with the respective secret key. After the response packet has completely gone through the cascade backwards and has been passed from the first mix to the JonDo client, the latter decrypts the packet several times and then forwards the decrypted data to the application.

You are anonymous to external observers within the user group of the same mix cascade. More heavily used cascades thus create greater anonymity. The anonymity towards the operators of the mixes, however, depends on the number of mixes in the cascade and the trust in their individual operators that they do not work together. Only when all the mixes in a cascade work together can the source IP addresses of the requests known only to the first mix be assigned to the requested websites known only to the last mix, so that all user actions are deanonymized . Since law enforcement authorities or other state institutions can enforce such cooperation between the mix operators, an international diversity of the mix operators in a cascade is also beneficial for anonymity.

Advantages and disadvantages of the anonymization model

In contrast to some other anonymization services such as Tor , JonDo is based on the concept of fixed mix cascades. In theory, this model is safe even with complete monitoring of the underlying network. In comparison, everyone in the Tor network can provide their computer as an anonymization node. Tor is therefore susceptible to large-scale surveillance systems based on large server farms, with which a US secret service co-operates the anonymization network on a large scale. In the practical implementation of a real-time anonymization service, there are also problems with JonDo, since not all the necessary mixed functions can be performed (sufficiently well). The practical attacker model is therefore much more limited: Security can only be achieved against attackers who can monitor the network locally at one point. On the other hand, attackers who can eavesdrop on all communications before the first and after the last mix of a cascade are able to fully understand the actions of the users of this mix cascade. The situation for such attacks is simplified because there is only a very limited number of mixed cascades, so that the attacker only needs to be present at a few points in order to deanonymize all communication processed via JonDo. Increasing the number of mix cascades as a countermeasure is problematic because the basic model assumes that as many users as possible are active at the same time via a mix cascade in order to keep the anonymity group large - more mix cascades would make the user groups per cascade smaller.

On the other hand, the mix cascade model with the manageable number of mix operators has the advantage that the operators can be checked more intensively. This guarantees a higher level of security compared to the mix operators themselves (in contrast, for example, to the gate node operators).

Mix operator

JonDos relies exclusively on certified mix operators. These must identify themselves to at least one of the currently two certification bodies ( JonDos , AN.ON ) and enter into an operator contract. The purpose of this contract is both to ensure the anonymity of the users and the independence of the mixed operation from JonDos. In this way, cascades of independent mixes can be set up without a central authority such as JonDos or another of the certification bodies having control over these mixes.

There is an international spectrum of mix operators, with the focus on Germany. The operation is carried out by private individuals as well as by companies and organizations, especially in the field of data protection. Among the operators are the original project partners of the AN.ON project (Technical University Dresden, Independent State Center for Data Protection Schleswig-Holstein), JonDos himself, the Bavarian State Association of the Pirate Party Germany and others

Payment model

Since the traffic over a mix is ​​significant, so not like e.g. For example, if a broadband connection is already sufficient for Tor, the question of financing the mixed operation arises. On the one hand, sponsors enable some free cascades. However, these are often heavily used, so that the speed there is then below the ISDN level.

On the other hand, by purchasing a volume tariff , you can use chargeable cascades, which usually offer significantly higher speeds. In addition, a SOCKS proxy (instead of just an HTTP proxy) is usually connected behind the chargeable cascades , so that significantly more functions can be anonymized than just surfing the web. There are also some advantages from an anonymity point of view, as these cascades are longer than the free and internationally distributed mixes. B. national law enforcement there is nowhere. However, significantly fewer users are active on these cascades, which again reduces the gain in anonymity somewhat, since the anonymity groups are small. The volume used is billed via a pseudonymous one-time account. The account can be purchased using completely anonymous payment methods such as Paysafecard , so that the operator does not have to disclose any personal information.

In spring 2010 there were disputes between the mix operators due to the payment model, which led to some providers of free cascades, including the German Privacy Foundation . Since by far the largest part of the traffic handled via JonDo is accounted for by the free cascades, despite the payment model, the project does not cover costs. In order to increase income, the use of the free cascades was made less attractive compared to the chargeable cascades by reducing the maximum possible speed there from 100 kbit / s to 30 to 40 kbit / s. At such low speeds, however, some providers saw free mixes no longer being a useful option and have therefore ended their commitment to JonDo.

Downloading and using the necessary software is always free of charge.

software

JonDo is available for download as an installer version for Microsoft Windows (98, ME, 200x, XP, Vista, 7), Mac OS X and Debian- based Linux distributions . A pure JAR file is available for other operating systems so that JonDo also runs there if a suitable Java runtime environment is available. In addition, with ANONdroid there is an app for Android that enables the use of anonymization services on mobile devices.

Since the configuration of the web browser is also decisive for anonymous access to the Internet ( cookies , HTTP headers, plugins , ...), preconfigured profiles for Mozilla's Firefox web browser are also available for download. These are called JonDoFox . For Windows, a completely preconfigured, transportable version of Firefox can also be downloaded based on PortableApps .

In addition to the JonDo client, the server software for InfoServices and Mixes (the latter not in Java, but in C ++ ) is available open-source and free of charge.

Prosecution

In public focus law enforcement measures advanced for the first time in 2003. On 3 July 2003 procured the Bundeskriminalamt a decision at the district court of Frankfurt , which the project partners of the AN.ON project undertook g based on §§ 100, 100 h StPO certain Record connection data. AN.ON lodged an objection against this, since §§ 100 g, 100 h StPO only refer to data that the service provider collects anyway. However, AN.ON did not collect any such data of its own accord. A decision should therefore have been made on the basis of §§ 100 a, 100 b StPO, which obliges the service provider to record data not collected by him. For a decision based on §§ 100 a, 100 b StPO, there are higher requirements than for one based on §§ 100 g, 100 h StPO. However, since the contradiction did not have a suspensive effect, the AN.ON project partners began implementing individual logging to be on the safe side: If the last mix of the cascade detects access to a website to be monitored, it transmits a flag in the response data which indicates the involved mixes to log the channel assignment of the affected data channel (the first mix then removes this flag again before it forwards the response data to the inquirer). These log data are encrypted and stored on the respective mix and can then be requested and evaluated later by law enforcement authorities. Since the source texts of the mixes are open, some users noticed this change, which led to media coverage. AN.ON's objection to the surveillance decision on the basis of §§ 100 g, 100 h StPO was ultimately successful and the Frankfurt Regional Court confirmed the legal opinion of AN.ON that such surveillance measures were only possible on the basis of §§ 100 a, 100 b StPO can take place. In the meantime, however, a data set had been obtained, which the Federal Criminal Police Office secured with a search and seizure order that was also subsequently found to be illegal. In addition to the judicial clarification on what legal basis an anonymization service in Germany can be forced to log access in the future, the logging functionality as a result of these events was also retained in the source code of the Mixe.

On September 6, 2006, the AN.ON server of the Independent State Center for Data Protection Schleswig-Holstein was confiscated. Since it should also have been clear to the prosecutors that AN.ON does not save any connection data by default, the purpose of this seizure is unclear.

In order to make criminal prosecution measures transparent, JonDos publishes an annual report that provides information on the number and scope of criminal prosecution orders.

Data retention

With the promulgation of the "Law on the New Regulation of Telecommunications Surveillance and Other Covert Investigative Measures as well as the Implementation of Directive 2006/24 / EC" on December 31, 2007, so-called data retention was in effect in Germany from January 1, 2008 . Providers of publicly available telecommunication services were therefore obliged to save the traffic data arising from the provision of services for a period of six months by January 1, 2009 at the latest and, if the relevant requirements were met, to transmit them to the responsible state authorities.

In principle, providers of anonymization services were also affected by these regulations. However, JonDos GmbH has recommended the mix operators not to implement data retention. The evaluation of the data obtained from the data retention on a single JonDonym mix cannot deliver any meaningful results. Only together can all mix servers of a cascade remove the anonymity of the users. In many cases, however, the international distribution of the mix operators prevents the data of the data retention from being collected or evaluated. Data storage is therefore not expedient. The majority of the German mix operators active in 2009 followed this recommendation and did not save any data: Surfsky Ltd., Pimenidis IT Consulting, Behrens, dotplex eK, German Privacy Foundation eV, PiratenPartei and SpeedPartner GmbH. The mix operators at the Technical University of Dresden, the University of Regensburg and the Independent State Center for Data Protection Schleswig-Holstein did not follow the recommendation of JonDos GmbH and implemented the storage of stored data on their mixes as follows:

  • The first mix saved the IP address, the date and time of the incoming connection and, for each connection, the outgoing channel number on which the data is passed on to the second mix.
  • Medium mixes saved incoming and outgoing channel numbers of the connections as well as the date and time of the respective channel setup.
  • Last mixes saved the incoming channel number of a connection, the date and time of the channel setup and disconnection, the source port number of the outgoing request and its date and time.

Due to the considerable interference in the functioning of an anonymization service, JonDos GmbH was one of the first complainants of the collective constitutional complaint against data retention initiated by the working group for data retention (1 BvR 256/08). In particular, JonDo's encroachments on occupational freedom (Article 12, Paragraph 1 of the Basic Law ) and the protection of property (Article 14, Paragraph 1 of the Basic Law) were criticized. The implementation of data retention would be associated with disproportionate costs for the provider of an anonymization service, which would barely make economic operation possible. Likewise, the existing technical systems for the provision of telecommunications services, which do not allow data retention, would thus become useless, which would represent a disproportionate encroachment on property. Although the constitutional complaint was overall successful because, according to the judgment of the Federal Constitutional Court of March 2, 2010, central parts of the data retention violated telecommunications secrecy (Article 10, Paragraph 1 of the Basic Law) and were therefore void, the complaints mentioned by JonDos in particular were against further encroachments on fundamental rights as admissible but rejected unfounded.

Since the legal basis for data retention no longer applies due to the ruling of the Federal Constitutional Court, this has not been applied to any mix cascade since then.

See also

literature

  • Marc Störing: In the sights of the law enforcement officers - State access to anonymization servers . In: c't . 24/2006, pp. 208-210.

Web links

Individual evidence

  1. Softonic : Anonymous surfing: Tor, JonDo, VPN and web proxies in comparison . Article of July 31, 2013.
  2. JonDos: Requirements for mixed operation . Retrieved November 21, 2010.
  3. JonDos: List of certification bodies . Retrieved November 21, 2010.
  4. JonDos: List of mix operators . Retrieved April 3, 2011.
  5. JonDos: Prices and payment methods . Retrieved April 3, 2011.
  6. JonDonym Mixes of the GPF switched off. (No longer available online.) German Privacy Foundation, May 17, 2010, formerly in the original ; Retrieved August 29, 2010 .  ( Page no longer available , search in web archives )@1@ 2Template: Toter Link / www.privacyfoundation.de
  7. User Question from the Shoutbox. (No longer available online.) Mix Proxy Server Operators of the JonDonym Network, June 29, 2010, archived from the original on July 13, 2010 ; accessed on August 29, 2010 .
  8. JonDos: List of available download options . Retrieved April 3, 2011.
  9. JonDos: ANONdroid Version 00.00.008 . Retrieved December 23, 2011.
  10. ANONdroid on Google Play . Retrieved December 23, 2011.
  11. JonDos: JonDoFox information page . Retrieved April 3, 2011.
  12. JonDos: List of the program sources offered . Retrieved November 21, 2010.
  13. Henry Krasemann: Discussion of the decision of the Frankfurt am Main Regional Court of September 15, 2003 (Ref .: 5/6 Qs 47/03) and the decision of the Frankfurt am Main Regional Court of October 21, 2003 (Ref .: 5/8 Qs 26 / 03) . In JurPC web doc. 140/2004, paras. 1-5. Retrieved January 3, 2010.
  14. Google Groups : WARNING: JAP now comes with spyware! . Usenet entry in alt.privacy.anon-server from August 17, 2003. Retrieved January 3, 2010.
  15. Heise-Newsticker : No longer completely anonymous: JAP anonymization service logs access . News from August 18, 2003. Retrieved January 3, 2010.
  16. Independent State Center for Data Protection Schleswig-Holstein: AN.ON server of the ULD confiscated ( memento of September 29, 2008 in the Internet Archive ). Press release of September 15, 2006. Accessed January 3, 2010.
  17. ^ JonDos: Monitoring reports
  18. ^ Draft of a law for the new regulation of telecommunications surveillance and other covert investigative measures as well as for the implementation of Directive 2006/24 / EC. (PDF - 2.0 MB) Printed matter 16/5846. German Bundestag, June 27, 2007, accessed on September 21, 2012 .
  19. Implementation of data retention by AN.ON. (No longer available online.) Project Anonymity on the Internet (AN.ON), archived from the original on January 5, 2011 ; Retrieved November 22, 2010 .
  20. ↑ Notice of complaint "Constitutional complaint on data storage". (PDF - 1.0 MB) Working Group on Data Storage, December 31, 2007, accessed on September 21, 2012 .
  21. ^ Judgment of the First Senate of March 2, 2010 on 1 BvR 256/08, 1 BvR 263/08, 1 BvR 586/08. Reasons BI (Rz 179), C. VII. (Rz 184, 293-304). Federal Constitutional Court, March 2, 2010, accessed on September 21, 2012 .