How a portable travel router can put TOR web-surfing security in your pocket
Most of the stories coming out the Black Hat and Def Con security conferences highlight the latest crop of horrendous security flaws discovered by hackers. But it's not all doom and gloom. There were also presentations from developers actively trying to make digital security better for all.
Consider the privacy-protecting travel router defined by the Personal Onion Router to Assure Liberty (PORTAL) project. It aims to protect personal privacy with little effort—at least once you're up and running.
Currently a DIY project that's really only appropriate for power users, PORTAL uses a travel router with modified firmware that anonymizes all Internet traffic by connecting to The Onion Router (TOR) network.
PORTAL was originally created two years ago by a well known security researcher who goes by the online handle The Grugq. In recent months, however, the Grugq has teamed up with two other contributors: Ryan Lackey, security engineer at CloudFlare; Marc Rogers, principal security researcher for Lookout Security.
Together the trio are refining the original code to make PORTAL more accessible to users and they plan to add more advanced functionality for power users in the future. Lackey and Rogers discussed the PORTAL project at Def Con 22. You can check out the presentation slide deck here.
Lackey told PCWorld they are hoping to sell travel routers with the software pre-installed to interested users, but for now the team doesn't plan on turning a profit or launching a business.
"The main goal is to get the devices out there," Lackey said. "So we're open to various options to cover the costs. Selling them is probably the easiest, though."
The group also hopes to have a more useful tool like a one-click installer ready by the end of the year for people who already have a travel router they can modify, Lackey said.
Security in your pocket
Travel routers are pocket-sized battery-powered and/or wall pluggable devices that can connect either to a wireless broadband network or a local Wi-Fi network. The router then functions just like a home router, connecting multiple devices to the Internet at one time.
The idea of making a travel router do all the work of connecting to TOR gives user devices an added boost of security. By isolating all the TOR connections to a separate device that can be nearly always on, you reduce the chance of forgetting to connect via TOR to maintain anonymity. The router also doesn't contain any of your personal information, reducing the chance of exposing personally identifiable data online.
Even if you're not a criminal or political dissident, there are many reasons to keep your Internet surfing habits as private as possible. For example, you may object to the data-gathering activities of the National Security Agency and other intelligence groups just on principle. The downside of using TOR, however, is that it can slow down your browsing speeds (although TOR speeds have improved in recent years).
There are many projects trying to help users stay anonymous online, mostly by using the TOR network. These include PogoPlug Safeplug and the Onion Pi that turns a Raspberry Pi mini computer into a TOR router.
The difference with PORTAL is it takes advantage of of TOR's pluggable transports API. Despite being relatively anonymous, online monitors can identify which traffic is TOR traffic and which is not. Pluggable transports can help mask TOR traffic so that it looks like non-descript Internet activity.
While PORTAL is an interesting project, right now it requires users to know how to flash a portable router's firmware. The instructions for getting started also assume a higher level of knowledge than most users have. Nevertheless, if you want to try your hand at PORTAL, you can find all the details, including recommended router models, on GitHub.
If you do give PORTAL or just plain old TOR a try, remember that your Internet traffic can be exposed once you exit TOR to connect to a website. You can avoid this by forcing your PC to connect to websites using https encryption whenever possible with browser add-ons such as HTTPS Everywhere.
[via Ars Technica]
UPDATE: This article was edited on August 21 with additional information from Ryan Lackey.