Skip to main content

Full text of "basic-internet-security"

See other formats

Basic Internet Security 

Published : 2011-05-27 
License : GPLv2+ 

Table of Contents 


1 Introduction 2 

2 Why use a manual on Internet security? 5 

3 Understanding basic Internet security 9 

General Safety 

4 Secure your computer 13 

5 Internet Cafes 17 

6 Software on USB or CD 19 

Protecting your passwords 

7 Keeping passwords safe 25 

8 Installing KeePass 28 

9 Encrypting Passwords with a Password Manager 35 

Safe Browsing 

10 Introduction to safe browsing 51 

11 Installing Firefox on Ubuntu 53 

12 Installing on Mac OS X 55 

13 Installing Firefox on Windows 60 

14 Protecting your internet passwords 66 

15 Extending Firefox 67 

16 Proxy Settings and FoxyProxy 83 

17 What is Tor? 90 

Basic E-mail Security 

18 Introduction to e-mail safety lOl 

19 Using Thunderbird 105 

20 Setting up Thunderbird to use secure connections 114 

21 Some Additional Security Settings 121 

Email Encryption 

22 Introducing mail encryption (PGP) 130 

23 Installing PGP on Windows 132 

24 Installing PGP on OSX 139 

25 Installing PGP on Ubuntu 148 

26 Creating your PGP keys 150 

27 Daily PGP usage 159 

28 Webmail and PGP 182 

Securing personal data 

29 Introduction to securing personal data 191 

30 Installing TrueCrypt 192 

31 Using TrueCrypt 201 

32 Setting up a hidden volume 216 

33 Securely destroying data 226 

Securing remote connections 

34 Introduction securing remote connection: VPN 240 

35 Getting and testing a VPN account 244 

36 VPN on Ubuntu 248 

37 VPN on MacOSX 265 

38 VPN on V^indows 275 

Mobile security & VOIP 

39 Introduction to iviobile Phone Security 289 

40 Secure Text messaging 291 

41 Secure voice communication 305 

42 VPN on Android phones 307 

43 Email security on Android 324 

Background information 

44 FAQ 326 

45 How the Net V»/orks 332 

46 Glossary 341 



The digital world is changing at a tremendous speed. New 
communication technologies open up new possibilities, 
but by using them you can also expose yourself, and 
others, to risks. Ivlany people have trouble assessing these 
risks especially with regard to the subject of safe digital 
communication. This is particularly true for people working 
in regimes with high levels of censorship. However, also in 
countries considered to be relatively free and uncensored, 
your data can be used or misused by others - governments, 
companies, or other persons (sometimes even 

How to protect yourself, your sources or your friends? What are safe routes 
to take? How do you secure after your personal data? This manual aims to 
address these issues to help you choose your own 'level' of safety. 

f Govemmerts and other parties are very interested in your communication 

r^ DATA J|^ DATA ~ 

How to trust technology? 

when verbally passing a message you usually need to know 
your contact persons to know if you can trust them, but 
you also have to know your technology a little to know if 
you can trust it. Technologies can leak or distort your 
message just as humans can. Technologies are invested in 
types of trust relations: some devices are safer than others, 
some can be modified, and some are better avoided. 


This book tries to address these different layers by giving hands-on 
explanations on how to make your digital communication and data more 
secure and by providing the reader with a basic understanding of the 
concepts of digital communication and data security. It derives from the 
following principles: 

1. No method is entirely secure; 

2. You need to have a basic understanding on how and why technology 
works to make it work for you; 

3. You need technology for safer communication: either some basic tools, 
or more sophisticated equipment, depending on where you're at and 
where you go. 

Keeping up to date 

Publications about the digital world become outdated fast 
and a viable solution today could be serious threat 
tomorrow. Therefore we created this book as open source, 
so it can be easily updated and will be free for others to 
update, extend and redistribute. The focus In this book Is 
also on free and open source tools. 


There is a wide range of books dealing with different aspects of secure 
communication In a digital age. We have combined our knowledge with 
existing publications and our contributions can be re-used and revised as well. 
This Is the advantage of having a growing pool of excellent reusable content at 
FLOSS Manuals - Its becoming easier in this field to make books quickly by 
combining existing materials using this resource. 

Different users, different tools 

The handbook aims to provide everyone an understanding 
about how they can protect themselves and the persons 
they communicate with. It also alms to provide Insights 
into the limits of protective measures, so people can make 
an Informed trade-off. 

The manual was a direct response to a workshop given by Greenhost 
( to the people from Free Press Unlimited 
( The workshop made clear that 
journalists face many problems with regard to security. This manual therefore 
addresses the concerns and needs expressed In that workshop. However, the 
manual provides Information on different layers of protection and therefore is 
valuable for other audiences as well. Using the manual does require some 
basic knowledge on how to operate a computer with a keyboard, mouse or 
any other pointing device. 

In the chapter on 'Why to use this manual' you can read more about the 
reasons for taking more security measures and how the manual addresses 
these Issues. 

How was this book made? 

This book was written in a Book Sprint. FLOSS Manuals has developed this 
methodology for the rapid development of books in amazingly short periods 
(2-5 days). FLOSS Manuals is an entirely open and voluntary organisation of 
some 3000 members. FIvl has manuals on free software available in over 30 
languages and all for free. You can read more about free software at the 

The idea for the book came from ISP Greenhost from Amsterdam. Besides 
providing sustainable hosting solutions they strongly adhere to a free, open 
and safe web. They bring this in practice by not logging user information, 
providing secure options for communication and helping users to make their 
computers and usage of the internet safer. For this book they gave a 
workshop at the NCO Free Press Unlimited from Hilversum, The 
Netherlands. Free Press Unlimited promotes Press Freedom all over the 
world, educates journalists and helps them securing their communication. A 
big part of this book is based on the workshop and the concerns of the 
journalists present. For more information check their websites. 

Many thanks to Buro 2.0 for providing the space for this Book Sprint. Buro 2.0 
is a co-working space for open source developers and experts. They were 
extremely generous to offer their Berlin venue to us for 5 days and made us 
feel very welcome and well looked after. Check them out their website. 

The Book Sprint was 4 days long and the full list of onsite participants 

Adam Hyde (facilitator), Jan Cerber, Dan Hassan, Erik Stein, Sacha van GefFen, 
Mart van Santen, Lonneke van der Velden, Emile den Tex and Douwe Schmidt 

why use a manual on Internet 

In the eighties when the Internet was in its infancy, its main usage came from 
university students and professors in an atmosphere of implicit trust. This 
means that security was not the first thing in mind when the basic uses and 
functions of the Internet were first developed. 

Nowadays the Internet is everywhere both in public and in private life. It has 
become a vital means for professional and personal - often confidential - 
communication. This has required security enhancements to be added to the 
various communication methods used on the internet after it became widely 
used. A lot of these enhancements are not implemented by default or require 
additional configuration. 

In addition, most people do not have the appropriate knowledge or skills to 
secure their internet usage enough or they might simply feel it they don't 
need it. Also vendors and providers are to blame for not pushing more secure 
technology and methods by default. But maybe you worry about your login 
codes being accessed when using wireless networks on a trip, or you want to 
securely lock your laptop when leaving it in a hotel. Possibly you need to 
encrypt your e-mails, because you have contacts in countries with a high level 
of internet censorship. 

This manual tries to fill that gap by providing some basic knowledge, and also 
more sophisticated techniques for those who need them, to make sure that 
your data is not easily accessed by others. As a matter of fact, internet 
security is not that difficult. 

What is security? 

Absolute security does not exist, security is always related to who your 
adversaries might be. Security is therefore about informing yourself and 
assessing the possible risks you, and others you communicate with, are 
facing. Make sure you reserve some time to choose the right tools, install 
everything properly, and test if it works. Compare it with driving a can it takes 
a little bit of practice, and some judgement on others' behaviour, but as soon 
you are in control it can safely get you where you want. 

To make a choice between the types of tools you need, it helps to make a 
distinction between two basic types of 'threats': undirected threats and 
directed threats. 

Most of the threats we are facing are automated undirected threats and 
luckily these are also the easiest to defend against. Unfortunately, we are 
sometimes also subjected to directed threats, for which we need some extra 
safety measures. We will shortly go into these issues and refer to the 
appropriate chapters so you can start your way. 

Undirected and directed threats 

Undirected threats are threats that are not directed at you personally, but 
might still affect you. Examples include phishing emails and computer virus 
infections. These methods are always automated and are just looking to get 
new victims, that can be everyone. Some schemes can evolve into a directed 
threat (for example when responding to e-mails telling you you won the 
"Spanish online lottery"). Also unprotected websites, or networks, can be 
dangerous if you fill in your login codes or credit card information. 

These threats can be compared to walking around in an unknown city, ending 
up in the wrong neighborhood and getting mugged. This book aims to be your 
city guide helping to prevent you to be at the wrong place at the wrong time. 
To protect yourself from this type of threats we recommend you to read at 
least the sections on General Computer Security, Secure E-mailing and Secure 
Browsing. Next to that it is key to keep your wits about you, keep your eyes 
and ears open and don't loose your common sense. 

Directed threats are the most dangerous ones. A long known wisdom amongst 
security specialists is the notion that "Only amateurs attack machines, 
professionals attack people." Directed threats are aimed at you personally or 
your organization and might involve a lot of different techniques. Attackers 
will use a mix of social engineering, sophisticated tools, luck and hard work. 
Directed attacks are a lot more expensive to undertake than undirected ones, 
as mostly they require more skills and work hours. 

One source for directed attacks can be people you know, for example co- 
workers, your boss, your spouse or friends. They might do so out of curiosity 
or for worse purposes. Small measurements might be enough to counter 
these attacks, like using a password onyour computer and locking your 
screen when leaving your computer unattended. 

Also thieves that gained access to your bank account, for example through 
phishing or spying on unprotected networks, are considered a serious threat 
to the internet user. 

Another source of directed threats are (repressive) societies. Governments 
have a range of motivations for monitoring or restricting different kinds of 
people's online activity. 

who might need this manual? 

of course, there are several reasons why you might need some guidance for 
internet security. Who are possible users that can have personal or 
professional reasons to take extra safety measures. 

journalists probably face directed threats. Organized crime, corruption, and 
government brutality are dangerous subjects to cover. You may need to 
protect yourself and your sources of information. 

Bloggers can encounter similar problems. You may want to write about 
everyday life, but issues are silenced or unpopular because of ethnicity or 
gender. You might prefer anonymity or need it to connect with a support 

Diplomats are also under heavy surveillance, as we know from the Wikileaks 
affair. You'd rather communicate in a safe way with your colleagues because 
the the content of your e-mails could have damaging effects. 

Activists may want to improve your government or are seeking a new one. You 
may want to expose environmental issues, labor abuses, fraud, or corruption 
at your place of work. Your government and employers are not going to be 
happy about this no matter the time of year, but they may put more effort 
into monitoring you if they suspect that there will be protests in the streets 

Internet users-. You might want to increase your security while browsing or 
mailing so you are better defended against undirected attack, or you might be 
just fed up with companies storing all your data for financial purposes, or 
suggesting you all sorts of things about yourself and your friends. 

How to use this manual? 

If you think you need to secure your internet use, we'd be happy to give you a 
hand with this manual and helping counter-attacking some of the problems 
you face. The chapters encompass general introductions that indicate which 
are the more basic steps to be taken for internet security, and what are the 
more complex operations to be handled. Even if those techniques of 
assurance may sound more demanding, they are explained step by step with 
illustrations and turn out to be not so difficult to implement. 

In the end you are the only one who can best asses the risks you are taking 
and to which threats you are exposing yourself and your peers. If you are in 
need of more in depth information aimed at human rights defenders, there is 
an excellent one called "Security in-a-box"created by the Tactical Technology 
Collective and Frontline. It is freely available online and as a download at Additionally, if you live in a country that 
actively restricts access to parts of the Internet you might find the Floss 
Manual on bypassing censorship to be of interest to you, it is located at Know that manuals in 
general can't guarantee total security and that it is by no means a 
replacement for a professional risk assessment and an organization wide 
security (and travel) policy. 

This manual is also to be used in an interactive way. In order to work, it needs 
to be kept reflected upon and updated. Do get in touch if we missed 
something, if you want to contribute, or if you just want to get in touch! 

Understanding basic Internet security 

To understand basic internet security we should have a basic understanding 
of how the Internet is organised and which path our information travels. With 
this knowledge we can easier assess which measures we can take to protect 

The mail game 

To have a notion of how the Internet works you can 
compare it with the normal world wide mail network. If 
you want to communicate with a friend you can send her a 
letter and post it to the nearest mailbox; it then travels 
through an extensive network to (hopefully) reach the 
person the information is intended for. Internet is just like 
that, however, the message is sent in an open envelope and 
every postman on the way can read the message, alter its 
content and/or the destination without you knowing. 

Unencrypted mail looks like this: 

To counter this, people have long used secret languages to communicate 
safely. In this chapter we will explain two methods of encryption. The first 
method explains an end-to-end encryption, encrypting the whole way from 
sender to receiver. The second method partly encrypts the route. 

End-to-end encryption 

If you encrypt your message and only the recipient can read it, it will be 
meaningless to all the postmen in between, and if they alter it you will notice 
it directly. In order to make such an encryption work, you still have to be sure 
to trust the recipient and be sure that you are really exchanging information 
with her and not with someone pretending to be her. This method is called 
end-to-end encryption and is the safest way of communication. You also have 
to be sure that no one is watchingoveryour shoulder while you write your 
message. Some of the end-to-end encryption methods that we cover in this 
book are HTTPS for browsing and PGP for e-mailing. 

Encrypted mail loolcs lite this: 
• • • 

^ ^ ^ 

Unfortunately for end-to-end encryption to work, both you and your friend 
(source, co-worker) need to have the tools to use it and have to agree on the 
secret language used. On the internet this means the website you are visiting 
or the people you are e-mailing. This not always the case, still, we can 
considerably increase our online safety by encrypting a part of the route. 

Partly encrypted mail through a proxy 

To get back to the mail analogy you might be on a field trip in a repressive 
country and want to send a message to your friend at home. You don't trust 
the post offices and the postmen in this country. So before you left, you asked 
your local post office to act as an intermediary (the proxy) and agreed to use 
a secret language. Now you can just write a message to your friend in the 
secret language of your post office. You will send this to your post office and 
they will take care of the delivery of the message to your friend. In this 
scenario you have to trust your local post office, all the postmen after that, 
and of course your friend. 

Partly encrypted mail using a proxy looks like this: 

^9 Proxy wj ^P 

m d^ 

Visiting websites is communicating 

Because in this example an analogy was drawn with mail messages, you 
probably thought of e-mails when reading this. While this is true, the example 
also counts for all other internet communications. Visiting a website is just 
like sending the message to your friend "please mail me your copy of the book 
1984", after which she sends it to you. 

Let's follow the example of visiting a website from your home computer: 
1. You type in 


2. The request goes through a series of routers, each one forwarding a 
copy of the request to a router closer to the destination, until it reaches 
a router that finds the specific computer needed. 

3. This computer sends information back to you, allowing your browser to 
display the page. 

The message that is transmitted from the website to you travels through 
other devices (computers or routers). The amount of devices your message 
comes in contact with along its way is often between 5 and 30. 

( What wou(d the ihtemei looK like if you draw it in a really small picture? ^ 

l"^P^* - ^^ ^^ ^^ greenfio^.N 

M □(T^.s a ^ s □ -- 

= t tig request 
< = the answer 

^■a iJ <A k . 

By default, information travels on the internet in an insecure way. This means 
that your message can be eavesdropped or tampered with on every device. If 
you are connecting wirelessly, people can also just "tune in" to the 
information send through the air. 

To keep information from being compromised you have to be careful to make 
sure of the following: 

• Can you trust the entry point (your internet connection) to the internet? 
If this is an insecure wireless connection anyone can eavesdrop on it, if 
it is a physical (cable connection) it can be eavesdropped by the 

• Can you trust the exit point (the site you will be visiting) of your 

• Are you really communicating to the right destination? Or did your 
request end up on a server trying to appear like the server you were 
looking for, but really isn't. 

At the end of the book there is a more in depth and technical explanation on 
how the net works. You can read that if you like to know more about it. 




Secure your computer 

There are steps that everyone with a computer should take to keep it secure. 
This may involve protecting information about your network of activists, your 
credit card number or your human-biology collection; but some of the tools 
you need are the same. Your computer holds valuable information and this 
need to be protected. 

Beware of programs or people that promise perfect security: online safety is a 
combination of good software and human behavior Knowing what should be 
kept offline, who to trust, and other security questions cannot be answered 
by technology alone. Look for programs that list risks on their Web sites or 
have been peer reviewed. 

Keep your OS updated 

Keep your operating system up-to-date: the developers of operating systems 
provide updates that you should install from time to time. These may be 
automatic or you may have to request them by entering a command or 
adjusting your system settings. Some of these updates make your computer 
more efficient and easier to use, and others fix security holes. Attackers learn 
about these security holes rapidly, sometimes even before they're fixed, so 
fixing them promptly is crucial. Luckily most operating systems do a quite 
good job in keeping the system updated and safe, if at least you allow them to 
do so. 

Installing new updates on a new computer is very important. A new computer 
you buy in the shop, can be there for some months already. This means the 
computer is often behind with the security updates. So when buying a new 
computer, please take some time to update your Operating System. 

User account and password 

Every computer needs an account to login. This account is needed to access 
your data and use the functions of your computer Please be sure to setup a 
password for every account. 

Use good passwords: no password selection system can guard against being 
threatened with violence, but you can improve your security by making it 
harder to guess. Use combinations of letters, punctuation, and numbers. 
Combine lower and upper case letters. Do not use birth dates, telephone 
numbers, or words that can be guessed by going through public information 
about you. More information about this can be found in the chapter on 


Modern operating systems separate normal tasks from administrative tasl<s 
like installing software. This division is very important, as administrative tasks 
need extra privileges and have total access to your hardware and software. Be 
sure to create a normal user account for day to day usage and never use the 
administrative account for this. 

Last but not least: Never store your password on a post-it on you computer 
or underneath your keyboard. 

Physical protection 

A lot of people do not realize the information on your computer can be very 
valuable for others. If you are working in an unknown/uncontrolled 
environment or area, always keep a good look on your belongings and never 
leave them unattended. Take some time to think over what the risks are if the 
data on your computers fall in the wrong hands. Ask yourself "which 
information is actually stored on my computer and what can other people do 
with this information?". Please realize, a password on your computer will 
maybe protect against quick access, but it doesn't protect your data once the 
whole system is lost. With physical access to a computer it's very simple to 
access the data on your harddisk (with the use of an other computer) without 
knowing even the first character of your password. If the information on your 
laptop is very valuable, have special attention to the section about securing 
personal data. The above is also true when you lend your equipment to 
someone else. Although you might completely trust the person you lend to, 
you don't have control on how secure they may handle your equipment. 

Smoking a cigarette 

it is very well possible you are working in a cafe or other (semi) public place 
on your laptop. Maybe you have opened some password protected websites 
(webmail) and maybe even have opened some encrypted files or emails. Once 
you go out for a quick break and a cigarette, please be sure at least your 
screen is locked. All mainstream operating systems can be used to lock your 
screen automatically if you close your lid or after a few minutes of inactivity. 
Be sure to enable these options, failing to do so will certainly at least 
sometimes result in good opportunity for attackers to access your private 
data. U nfortunately this habit is still not very common with users but very 



Use anti-virus software 

If you're still using Microsoft Windows, use anti-virus 

software and keep it updated. Malware is software written 

in order to steal information or to use your computer for 

other purposes. Viruses and malware can gain access to 

your system, make changes and hide themselves. They 

could be sent to you in an e-mail, be on a Web page you 

visit, or be part of a file that does not appear to be 

suspicious. Anti-virus software providers constantly 

research emerging threats and add them to lists of things that your computer 

will block. In order to allow the software to recognize new threats, you must 

install updates as they are released. 

Be aware of scareware. Scareware is software which advertises itself as anti- 
virus software, but is in fact a virus or spyware itself If you install (free or 
commercial) anti-virus software, please be sure it's not scareware. A quick 
search of the name of the vendor/product in combination of the term 
"scareware" on Google will be enough to find out if you've just downloaded 
scareware. Scareware can be often found in "advertisements" on dodgy 
websites with warnings about "found viruses" 

External data (USB-sticks, E-mail attachments) 

Transferring virusses with USB-sticks or with E-mail 
attachments is very easy and often done by the virus itself 
rather then the owner/sender, especially under Microsoft 
Windows. Be careful when inserting USB-sticks or lent out 
your stick to others. It's just recently Microsoft changed 
it's policy regarding automatically opening USB-sticks. This 
"""* should make Windows a little safer, but still watch out 

suspicious programs on USB-sticks. Never open any file 

you do not trust, regardless to if it was distributed via E-mail, USB or other 


Only use trusted and Open Source Software 

Be sure you can trust the vendor of the applications you use. A lot of 
companies are offering applications on the internet. Between these 
companies there are several with other intentions then they will tell you. 


Use Free and Open Source Software (FOSS). Open source software is made 
available both as a working product and as a work in progress to users and 
software engineers. This offers several security advantages over closed 
source, for-profit software that may only be available in your country through 
illegal channels due to export restrictions or expense. You may not be able to 
download official updates for pirated software and often pirated versions 
already includes viruses. With Open Source software there is no need to 
search through several suspicious sites for a copy free of spyware and 
security glitches. Any legitimate copy will be free and is available from the 
creators. If security flaws emerge, they can be spotted by volunteers or 
interested users. A community of software engineers will then work on a 
solution, often very quickly. 

Another problem that has occurred in some countries with regards to illegally 
installed closed source software is that equipment of NGOs or journalists 
were confiscated by the government based on copyright regulations as a 
measure to gain access to the information that was on the devices. 

Be updated 

Keep yourself updated on the latest security threats: the 
effort put into harming you may change. Methods to 
protect yourself that works today may stop working or 
even become a threat themselves tomorrow. Even if you 
don't need it now, know where to find information and use 
different sources of information. 


And if you do find some essential piece of information we didn't cover in this 
book, please update the book at or tell us so we can 
update the book. 


Internet Cafes 

The fact that you access the Internet in a public space does 
not make it anonymous or safe for you. It is quite often the 
very opposite. Some of the main threats are: 

The owner of the computer, or even a person who used the computer 

before you, could easily program the computer to spy on everything you 

do, including recording all of your passwords. The computer can also be 

programmed to circumvent or nullify the protections of any privacy and 

security software you use on it. 

In some countries, such as Burma, Cuba and Italy, Internet cafe clients 

are required to show their ID or passport before using the service. This 

ID information can be stored and filed together with the clients' Web 

browsing history. 

Any data you leave on the computer you have used may be logged 

(browsing history, cookies, downloaded files, etc). 

Software or hardware keyloggers installed in the client's computer may 

record every keystroke during your session, including your passwords, 

even before this information is sent over the Internet. In Vietnam, an 

apparently innocuous virtual keyboard for typing Vietnamese characters 

was being used by the government to monitor user activity at Internet 

cafes and other public access spots. 

Your screen activity may be recorded by special software that takes 

screenshots at frequent intervals, monitored through CCTV cameras, or 

simply observed by a person (e.g. the Internet cafe manager) looking 

over your shoulder. 

In some countries, such as Burma, Internet cafe owners have to display 
posters about banned Web content and are responsible for the 
enforcement censorship law inside their business. 
Computers are often configured so that users are prevented from 
installing any software, including circumvention tools, or connecting 
any kind of devices to the USB port (such as USB flash drives). In Cuba, 
authorities have begun deploying a controlling software for Internet 
cafes named AvilaLink that prevents users from installing or executing 
specific software or running applications from a USB flash drive. 
Users may be prevented from using any other browser but Internet 
Explorer, to prevent the use of privacy or security Add-ons or settings 
for browsers such as Mozilla Firefox or Google Chrome. 


Best practices 

Depending on the environment in which you use your 
shared computer, you can try the following: 


Identify the surveillance measures implemented based on the list 
mentioned above (CCTV, human surveillance, keyloggers, etc.) and 
behave accordingly. 

Run portable software from a USB flash drive if possible. 

Keep your data on your own USB flash drive and do not copy it to the 

shared computer. 

Encrypt any data you are sending. 

Use an operating system on which you have control through the use of 

a Live CD. 

Change Internet cafes often if you fear recurring surveillance, or stick to 

one where you trust it is safe to connect. 

Take your own laptop to the Internet cafe and use it instead of the 

public computers. 


Software on USB or CD 

It is possible to install applications on a CD-ROM or USB- 

drive. This will enable you to bring your favourite settings, 

extensions and bookmarks with you anywhere you go. It 

will also limit the amount of data and traces you leave on 

the computer you are using. This could prove to be 

exceptionally useful when you have to use untrusted 

computers or internet cafs. The latter is almost always a 

Windows environment. We will describe a handy tool in 

this chapter called 'Portable Apps'. With this tool you can easily prepare a 

USB-drive with Windows application. 

The most easy and by far most secure way to do this is at home, or in your 
office or any other save environment, with a high speed internet connection 
as it requires you to download a special package of software including all the 
programs you might need. You want to make sure that the computer you use 
to do this is protected by a firewall and has no viruses (so use your own 
computer of from somebody you trust). 

If you need only Firefox, which can be used on any platform, install Firefox on 
a CD or USB. If you need other programs to mail, chat, use ftp etc. you can 
install a whole bunch of programs with the help from the installer available 
from the website Portable Apps. The installer and the resulting removable drive 
with application will only work on the Windows platform. 

Another option is to install an entire OS on a flash drive, external hard-drive or 
iPod and start the computer from that. 

Portable Apps for Windows 

For Windows users there exist a handy tool called Portable Apps. For this 
method we are going to use a package from Portable Apps. This website 
allows you to download packages with software that you can install on a 
USB-drive or any other removable medium like an iPod or SD Card. 

Things you will need for this method: 

• A save, clean and secure Windows computer; 

• A portable drive of at least 256Mb but preferably bigger then IGB; 

• An internet connection. (You will need to download files between 2Mb 
to 137Mb). 

Direct your browser to and look at the 
different columns to see what is included in which download. For this manual 
we are using the 'Suite Light' of 52mb download. At the time of writing the 
version number is 1.6.1. 


1. Download your desired suite by clicking the download button. You will be 
redirected to the download page and asked if you want to 'save' or 'run' the 
program. Choose to save it to your desktop (or any other place you might find 

[=1 7S 

^ D&wnlciad Suite and M, + 
^ J'-^ I y^ http://portableapp&.com/de>wnload 

<> ' e a- GougLE 


The Platform is 100% Free. Free to use. Free to share. And fully open source. 
Please make a donation to help support our development and hosting. 


Get everything you need at 
once or add only what you 
want. Pick what's right for you : 

Download Size 
Free Space Needed 
Recommended Device 
Supported Language 

Platform Only Suite Light Suite Standard 

Download IL Download II Download 


ZMB download 

2MB installed 

All devices 



52MB download 

15QMB installed 

Z5&MB+ devices 



L37MB download 

400MB installed 

1GB+ devices 

English Platform 

Q PortableApD&.com Menu 
i Porta bl&Apps.onTi Backup 

,^j Custom Folders, Icons & Auto run 

Bundled Apps 

(g) Mozllla FIrefox. Portable Edition 

(web browser) 

2. Insert you USB-Drive into your computer and locate the PortableApps file 
on your computer and double click to open it. 


Organize » [h] Open Share with '^ Burn Wew f oider 

i; - a © 

M Favorites 
■ Desktop 
Jj^ DownloadE 
^ Recent Places 

(^ Libr^rie^ 
|yl Documents 
J^ Music 
B Pictures 
H Videos 

d¥ Computer 

*^ Network 

! Libraries 

System Folder 

Svstem Folder 



System Folder 

System Folder 

Irw i^Zl Control Panel 
IK^^J System Folder 

J^^^, Mozilla FirefoM 
|BKJ Shortcut 
[Tj^r 1.06 KB 

•^ Recycle Bin 

\^ System Folder 

-ttr—ji ParafteBs Shared Folders 

^mKm Shortcut 

Porta bleApp5,com_Suite_Light_Set 
up_l,6.1_English Suite 

^.^^ PortabfeApps.com_Suite_Liglit_Setup_1.5.,.. Date modified; 4/23/2011 9;07 PM 
•^^^J Application Size: 50.7 MB 

4. It will ask you if you want to run the software. Choose 'Run'. 


Open File - Security Warning 

Do- you m^ri to HjH this file? 





... leApp s. CO m_Suite_Light_Setup_l. 6. l_English.exe 
Rare Ideas. LLC 



[^ /^ways ask before opening this file 

While files from the Intemet can be useful, this file type can 
potentially harm your computer. Only run software from publishers 
you trust. '^Vhat'sthe risk? 

5. It will now open the installer allowing you to install the programs on your 
removable drive. 


^ PortableApps.tom Suite | [nstaller Suite 1.6.1 

This wizard will guide you through the installation of Suite. 

If you are upgrading an ejfisting installation of SuitEr please dose it before proceeding, 

Click Next tD continue. 

I NeKt> "I I I Cancel | 

6. It is best practice to install the software on a clean formatted drive at the 
first level, (i.e. not in a folder.) In our case that is directly on the E: partition. 

■^ Browse For Folder 

Select the folder tn install Suite in: 



H [desktop 
^ ,^ Libraries 
t> J^ Administrator 
^ S^-' Computer 

> t^ Floppy Disk Drive (A;] 

[> £t Local Disk [Ci) 

[J^l DVD Drive (Di) Windows? Ultimate -52 Bit (Aut 

Im green host [E^. 

P *Ip Network 

^Sake New Folder 

[ CK J [ Cancel ^ 


7. The installation will take some time and afterwards you can set some 
options and then start using the drive. 

Make sure to test on at least one computer if it works and if you understand 
how to operate it before taking it with you. You can modify the programs on 
the drive, by changing preferences or adding extensions, like you would with 
any other program. 

Especially for Firefox and Thunderbird this means that any extensions you 
might want to use can be and should be installed up-front on the USB drive. 


Deploying this technique doesn't guard you from many 
other threats such as key-loggers, malicious programs that 
intercept your keystrokes. See the chapter on Internet cafs 
for an explanation of the dangers of accessing your private 
information from a public environment. 






Keeping passwords safe 

Passwords are for the computer world basically what keys 
are In the physical world. If you loose a password you will 
not be able to get in, and if others copy or steal it they can 
use it to enter As a minimum measure a good password 
should not be easy to guess by people and not easy to 
crack by computers, while still easy enough for you to 

Password length and complexity 

To protect your passwords from being guessed, length and complexity are the 
key factors. Passwords like the name of your pet or a birth date are very 
unsafe; also any word that appears in a dictionary is easily guessed by a 
computer You should also never use a password containing only numbers. 
You should use a password containing a combination of lower case letters, 
capitals, numbers and special characters and it should have a minimum 
length of 8 characters for basic security. 

Minimizing damage 

If your password is leaked or guessed, it is very important to minimize the 
damage as much as possible. To this end there are two measures you can 
take. Firstly, be sure to keep different passwords for different sites, otherwise 
if your password for one site is compromised it is very easy for the attacker to 
gain access to your other accounts. You can for example do this by choosing a 
few basic passwords to which you add a unique suffix per site. Secondly, 
change your password from time to time, at least for things you consider to 
be sensitive. In that way, if an attacker has got access to your account 
without you noticing, you effectively block him out. 

Physical protection 

Especially if you are traveling and using internet cafes, or 
p^^^l^B other untrusted computers, you have to be aware that 
^■'■'■■■1 there are other ways for people to obtain your passwords. 
U^*^JI Firstly there is "over the shoulder" surveillance, where 
^^^^^^J someone, or a camera, watches your actions and might see 
the password you are typing (or where you are browsing). 
A second typical threat is the presence of key loggers. Key 
loggers are software or hardware devices that record 
keystrokes, they can be hidden inside a computer or keyboard and hence 
totally invisible to you. Be very careful what you do in those places and which 
sites you visit there. If you really have to use such a place be sure to change 
your passwords as soon as possible. For more tips on Internet Cafes read the 
chapter on them. 


Easy-to-remember and secure passwords 

One way to create strong and easy-to-remember 
passwords is to start with a sentence you can easily 
remember, like: 


"this book really helps for securing my digital life!" 

Take for instance the first letter of every word: "tbrhfsmdl" and now add 
some more substitutions, the "f" can be the 4 (for "for") and we can add some 
capitals and special characters. The end result might be something like 
"TbRh4$mdL!" Which is secure and easy to remember. Just try to think of a 
system that works for you to remember the passwords. Alternatively you 
might want to use one strong password that is easy to remember and keep all 
your other secure (less easy to remember) passwords by using a tool that 
keeps them securely on your computer or phone. 

Using an application to keep your passwords 

Even easy-to-remember passwords might be difficult to manage. One solution 
is to use a dedicated application to manage most of your passwords. The 
application we will discuss is Keepass which is a free and open password 
manager that is considered to be secure (given that you chose a sane and 
secure "master password" for the keepass application). 

For website passwords a more convenient solution that is probably safe 
enough for most of your passwords is to use the built-in password manager 
of the Firefox browser. Be sure to set a master password as is explained in the 
chapter on safe browsing, otherwise this is very insecure! Other browsers 
might also come with built-in password managers, but remember that if you 
don't have to unlock them with a master password they are mostly unsafe 
and easily retrievable by attackers having access to your computer. 

Protect your Website Passwords 

Browsers offer to save the login information and passwords for websites you 
use. If you choose to save the passwords, you should make sure that the 
passwords are stored in a safe way. See the chapter about Keeping your 
internet passwords safe in Firefox. 




If an application on your computer, like a chat or mail program, stores 

the password it uses, and you are not asked for it after reopening the 

program, it often means that it can be easily retrieved from your 

computer by someone having access (physical or othervi/ise) to it. 

If your login information is sent over an insecure connection or channel, 

it might fall into the wrong hands, (see the chapters on secure browsing 

for more information) 

Over the shoulder surveillance or key logging might compromise your 



Installing KeePass 

We will cover Installing KeePass on Ubuntu and Windows. 

Mac OSX comes with an excellent built-in password 
manager called Keychain that is just as save. Downsides 
are that it isn't Open Source and doesn't work on other 
systems. If you'd need to take your passwords from one 
Operating System to another it is better to stick with 
Keepass after all. How to use Keychain is covered in the 
next chapter. 

Installing KeePassX on Ubuntu 

To install on Ubuntu we will use the Ubuntu Software Center from 
Applications->Ubuntu Software Center. 

File Edit View Heip 
IMI Installed Software 


Ubuntu Software Center 

atured Applications > 



32731 items availai^ie 

Aa ® 

office Science i 


Type KeePass in the search field at the top right and the application KeePassX 
should automatically appear in the listing. 


1 matching iterr 

Highlight the item (it may already be highlighted by default) and then press 
'Install'. You will be asked to Authorise the installation process: 

Authentication is required to 
install software packages 

An application is attempting to perform an action that 
requires privileges. Authentication is required to perform this 


' + ' Details 



Enter your password and press 'Authenticate' the installation process will 
then begin. 


File Edit View Help 

lljjpi Installed Software 
A In Progress [1) 

1 matching item 

Ubuntu does not offer very good feedback to show the software is installed. 
If the green progress indicator on the left has gone and the progress baron 
the right has gone then you can assumed the software is installed. To check 
you can open the program from the menu Applications->Accessories- 

^ In Progress [1) 

1 matching iterr 


Installing KeePass on Windows 

First visit the KeePass download webpage 

( and choose the appropriate installer. For 
this chapter we are using the current installer (KeePass-2.i5-Setup.exe which 
can also be directly downloaded from here 

Download this to your computer then double click on the installer. You will 
firt be asked to select a language, we will choose English: 


Se/ect Setup tiingirage ) 



Select the language to use during the 

OK 1 Cancel 


Press 'OK' and you will be shown the following screen: 

It is recommended that you close all other applications before 

Next > 


Just press 'Next >' and go to the next screen : 


, - ffeePan PtriiwordSflfe 

License Agreement 

Please read the Following important inFormation beFore continuing. 

Please read the Following License Agreement. Vou must accept the terms oF this 
agreement before continuing with the installation. 

|<eePass: Copyright (c) 2003-2011 Dominik PeichI <>. ^ 

The soFtware is distributed under the terms oF the GNLJ General Public 
License version 2 or later. 


Version 2, June 1991 I 

Copyright (C) 19B9, 1991 Free Software Foundation, Inc. 

51 Franklin Stj Fifth Floor, Boston, MA 02110-1301 USA 
Everyone is permitted to copy and distribute verbatim copies 

<" I accept the agreement 

(" I do not accept the agreement 






In the screen shown above we must select 'I accept the agreement' 
otherwise we will not be able to install the software. Choose this option and 
then press 'Next >'. In the next screen you will be asked to determine the 
installation location. You can leave this with the defaults unless you have 
good reason to change them. 

Select Destination Location 

Where should iJeePass Password Safe be installed? 


^2 Setup will install iieePass Password SaFe into the following folder. 

To continue, click Next. If you would like to select a different folder, click Browse. 

At least 2.8 VB of free disk space is required. 


1 Next > 




click on 'Next >' and continue. 

Setup - KeePas; Paisward Safe 

5elect Components 

Which components should be installed? 

Select the components you want to install; clear the components you do not want to 
install. Click Next when you are ready to continue. 

1 sPass Application Files 



Help Manual 

0.6 MB 

Native Support Library (KeePass 1.x) 


XSL Stylesheets for KDB4 XML Files 


Optimize KeePass Performance 

1.0 MB 

Optimize KeePass On-Demand Start-Up Performance 


Current selection requires at least 5,4 MB of disk space, 

< Back I Next > 


The above image shows the KeePass components you can choose from. Just 
leave the defaults as they are and press 'Next >'. You will come to a new 


, - ffeePan Ptriiworrf Safe 

Ready to Install 

Setup is now ready to begin installing KeePass Password 5aFe on your computer. 


click Install to continue with the installation^ or click Back iF you want to review or 
change any settings, 

Destination location; 


C;\Program Files\KeePa55 Password Safe 2 

Setup type; 

Full installation 

Selected components; 

Coi-e KeePass Application Files 

hielp Manual 

Native Support Library (KeePass l.x) 

— ' 

XSL Stylesheets for KDB4 XML Files 

Optimize KeePass Performance 

Optimize KeePass On-Demand Start-LJp Performance 


< Back |i Install | Cancel 

This doesn't do anything but give you a summary of your options. Press 
'Install' and the installation process will begin. 

Setup - (feePflss Password Safe 


Please wait while Setup installs KeePass Password Safe on your computer, 

Finishing installation. 



Encrypting Passwords with a 
Password Manager 

To encrypt password we use KeePass on Windows and KeePassX Ubuntu, and 
Keychain on OSX. The basic principle is the same; you have a file on your 
computer which is encrypted with one single very secure password. This is 
sometimes referred to as a 'Master Password', 'Admin-Password', 'Root- 
Password' etc. but they are all the ultimate key to all your other keys and 
secure data. For this reason you can't and shouldn't think to light about 
creating this password. 

If a password manager is part of your OS (like it is with OSX) it unlocks 
automatically for you after you login to your account and so opening secure 
information like passwords. For this, and other, reasons you should disable 
'Automatically Login'. When you start-up your computer you should always 
have to login and, even better, set your computer to automatically logout or 
lock the screen after a set amount of time. 

Encrypting Passwords with KeePassX on Ubuntu 

First open KeePassX from the Applications->Accessories -> KeePassX menu. 

File Entries Groups View Extras Help 
U <iJ .^-J . 'X -■'i. t? , ^ t , 'J l[ 


Title V 1 username URL | Password | Comments 


The first time you use KeePassX you need to set up a new database to store 
your passwords. Click on File->New Database 


Entries Groups View Extras Help 

Open Database.. 


y Title *^ | Username | URL 

close Database 


Save Database 
Save Database As... 


Database Settings... 
Change Master Key... 

Import from... 
Export to... 


Lock Workspace 


I U I 

I Password | Comments 


You will be asked to set a master key (password). 

New Database 

^ Set Master Key 

Enter a Password and/or choose a key file. 

H Password: 
Ci Key File: 


Generate Key File.. 



Choose a strong password for this field - refer to the chapter about 
passwords if you would like some tips on how to do this. Enter the password 
and press 'OK'. You then are asked to enter the password again. Do so and 
press 'OK'. If the passwords are the same you will see a new KeePassX 
'database' ready foryou to use. 


File Entries Groups View Extras Help 



Title V 1 Usemame URL [Password [Comments 


gi eMail 


Now you have a place to store all your passwords and protect them by the 
'master' password you just set. You will see two default categories 'Internet' 
and 'Email' - you can store passwords just under these two categories, you 
can delete categories, add sub-groups, or create new categories. For now we 
just want to stay with these two and add a password for our email to the 
email group. Right click on the email category and choose 'Add New Entry...': 

File Entries Croups View Extras Help 

a BJ a 

^ <5 , oi 5L i CJ I 


Title V , Username URL | Password | Comments 

@ internet 

Add New Subgroup... 
Edit Group... 
Delete Croup 
Sort groups 

Add New Entry... CtrltY 

Search In this Group- 






d Entryl 


^ New Entry 

Icor: l&l 








1 '^ 1 


Gen. 1 



10 Bit 



S Never 




1/1/00 11:00 AM 

: OH 






So now fill this form out with the details so you can correctly identify which 
email account the passwords are associated with. You need to fill out the 
fields 'Title' and the password fields. All else is optional. 






^ New Entry 









Icor: 1^ 



my email 






1 S6Bit 


a Never 


g IJ 

1/1/00 12:00 AM 

: I0H 






KeePassX gives some indication if the passwords you are using are 'strong' or 
'weak'. should try and make passwords stronger and for advice on this 
read the chapter about creating good passwords. Press 'OK' when you are 
done and you will see something like this: 


File Entries Groups View Extras Help 



@ Internet 


my email 

Group: I 


HPI ■ 

Creation: 05/01/2011 
Access: 05/01/ZOll 

ModiTicBtiffn: 05/01/2011 
Expiration: l^ver [-] 



To recover the passwords (see them) you must double click on the enter and 
you will see the same window you used for recording the information. If you 
click on the 'eye' icon to the right of the passwords they will be converted 
from stars (***) to the plain text so you can read it. 

Now you you can use KeePassX to store your passwords. However before 
getting too excited you must do one last thing. When you close KeePassX 
(choose File->Quit) it asks you if you would like to save the changes you have 


Save modifisd pleJ 

The current file was modified. 
Do you wart to save the changes? 




Press 'Yes'. If it is the first time you used KeePassX (oryou have just created a 
new database) you must choose a place to store your passwords. Otherwise 
it will save the updated information in the file you have previously created. 

When you want to access the passwords you must then open KeePassX and 
you will be asked for the master key. After typing this in you can add all your 
passwords to the database and see all your entries. It is not a good idea to 
open KeePassX and have it open permanently as then anyone could see your 
passwords if they can access your computer. Instead get into the practice of 
just opening it when you need it and then closing it again. 


Encrypting Passwords with KeePass on Windows 

Afteryou installed KeePass on Windows you can find it in the application 
menu. Launch the application and the following window should appear. 

■I-^I— ^^^ 

(^ KeePass Password Safe 

File Edit Vie^v T00I& Help 

UserName Password URL 

OalO selected 

I Ready. 

You start by making a database, the file which will contain your key. From the 
menu select File > New. You have to chose the name and the location of the 
file in the dialog window below. In this example we call our database 


1) Create Mew Password Database 

Zoeken in Pnvote 


Org^niseren ^ Mieuwe map 

^1 Recente locaties 

[^ BlbliDtheken 
[B1 Afbeeldingen 
IBl DacLmenten 
ijpl Mijn documen 
1^ AsusWebSto 
J^ Bluetooth &(( 
1^ EBI 
J^ Private 
Jl Openbare doci 
J^ Muzlsk 



Gewijzigd op 
Geen zoekre&ultaten. 

Rangschikken op; Map '^ 

- ^L 

Be&tandsnaam; my_pas5word_database 

Opslaanals; KeePassKDBX Files C.kdbx] 

^ Mappen verbergen 

Opslaan Annuleren 

The next screen will ask you for the master password. Enter the password and 
click on 'OK'. You will not need to select anything else. 


(§] Create Composite Master Key 

Create Composite Master Key 


Specify the composite master Icey, whicii will be used to encrypt tiie database. 

A composite master key consists of one or more of the following key sources. All sources you specify will 
be required to open the database. If you lose one source, you will not be able to open the database. 

W\ Master passmxd: 

F^eat password: 
Estimated quality: 



r~l ;.!tfe|f..f!.ie../p!nt>yi.dtHr:: ^None) 


[fe Ero',vse... 

Create a new key file or browse your disks for an existing one. If you have installed a key provider 
plugin. it is also listed in this combo box. 

I I Windows user accctrt 

This souroe uses data of the current Windows user. This data does not change when the Windows 
account password changes. 

If the Windows account is lost, it will not be enough to create a new account with the same user 
name and password. A complete backup of the user account is required. Creating and restoring 
such a backup is not a simple task. If you donl know how to do this, dont enable this option. 




The next window allows you to add special configuration settings foryour 
new database. We do not need to edit anything. Just click on 'OK'. 


(^] Create New Password Database - Step 2 

^ — abase Settings 

Here you can configure various database settings. 

General Security | Fratedion | CompreBsion | Recyde Bin | Advanced | 

Database name: Enter a name fortiie database or leave it empty. 

Database description: 

Enter a siiort description of the database or leave it empty. 

Default user name for new entries: 
n Custom database color: 




Now the main window appears again and we see some default password 
categories on the left side. Lets add a new password in the category 'Internet'. 

First click on the word 'Internet', then click on the add entry icon ~-^ under 
the menu bar. 


(fl.l my_pass\vord_databa£e.kdbK* - K&ePass Pas;.word Safe 



File Edit View Toots Help 

^ my_p3ssword_claftabase 

Q General 
^ Windows 
2 Network 
@ Internet 
^ eMail 
'5ii Homebanking 

Title User Name Password 

^ Sample En... User Name imm^r 

URL Notes 

http;//www. ... N otes 

of 1 selected 

I Ready. 

A widow will appear like below. Use the fields to give a description of this 
particular password, and of course, enter the password itself When done, 
click on 'OK'. 


(^ Add Entr] 


Add Entry 

Create a new password entr^ 

Entry Advanced | Properties | Auto-Type | History | 


My Gmail password 


n &pin 

1- 5-2011 13:54:41 


^ Tools 





Encrypting Passwords with Keychain on Mac OSX 

Mac OSX comes pre-installed with the build in password manager 'Keychain'. 
Because of it's tight integration with the OS most of the time you will hardly 
know it exists. But every now and then you will have a pop-up window in 
almost any application asking 'do you want to store this password in your 
keychain?'. This happens when you add new email accounts to your mail 
client, login to a protected wireless network, enter your details in your chat 
client etc. etc. etc. 

Basically what happens is that Mac OSX offers you to store all that login data 
and different passwords in an encrypted file which it unlocks as soon as you 
login to your account. You can then check your mail, logon to your WiFi and 
use your chat client without having to enter your login data all the time over 
and over again. This is a fully automated process, but if you want to see what 
is stored where and alter passwords, or lookup a password you will have to 
open the Keychain program. 

You can find the Keychain program in the Utilities folder which lives in the 
Applications folder. 



KeychoJn Access 

When you open it you will see that your 'Login' keychain is unlocked and see 
all the items contained in it on the right bottom side of the window. 

(note: the window here is empty because it seemed to be deceiving the 
purpose of this manual to make a screenshot of my personal keychain items 
and share it here with you) 

f © O O 

l|3 Click to lock the login keychain. 

Keychain Access 


if login 

© System 

C System Roots 


^ All Items 

/„ Passwords 

_ii_ Secure Notes 

B My Certificates 

f Keys 

m Ceftlflcates 



You can double click any of the items in the Keychain to view it's details and 
tick 'Show password:' to see the password associated with the item. 


Creenhost Clients 

I Attributes Access Control 


Name: Creerhosl Clieints 

Kindj AirPort network password 

AccDjnt: Creen^iost Clients 

Where: DEE954G7-B706-4ZC5-9EBF-0D9F206C33EA 

Show pasE-word: 


( Save Changes J 

You will note that it will ask you for your master or login password to view 
the item. 

Type an admmistrator's name and password 
to allow Keychain Access to make changes. 

Name: John 

h Details 


Q Cancel } f OK j 

You can access modify any of the items and also use the Keychain to securely 
save any bits and pieces of text using the notes. To do this click on notes and 
than choose 'New secure Note item' from the file menu. 


That's it 




Introduction to safe browsing 

Web browsing is one of the key activities we engage in while using the 
internet. Our browsing histories, the things we search for, the sites we visit 
and the things we might post might be of interest to others, it is valuable to 
them either for commercial or political reasons. The following chapter deals 
with securing the way you browse the internet and makes you more familiar 
with threats you are facing so you can recognize them and act appropriately. 

The first thing to consider is which web browser to use. 
Windows comes pre-installed with Internet Explorer while 
,' , Apple computers come shipped with Safari. In this book 
' we will exclusively look at the excellent and freely available 
Firefox browser 

Firefox runs on all the major operating systems Windows, MacOS and Linux 
and it has been translated into more than 75 languages. When concerned 
about securing your browsing activities there it is the only viable option when 
choosing a browser Therefore this section only deals with Firefox and its add- 
ons. Know that you can also install Firefox on a CD or USB, so you can take it 
with you where ever you go, so you know you have it installed from a trusted 
source (see also the chapter on portable software). 

Why browsing is unsafe 

The Hypertext Transfer Protocol (HTTP) is the networking protocol used by 
browsers that allows communication between you and a site you are visiting. 
Because communication is transmitted in plain text it is unsafe, especially 
when using wireless networks. It is like transmitting a message with personal 
information on a postcard. Data, such as user names and passwords, sent to 
and received by Web sites, are easy to read by third parties. 

To solve this problem the Hypertext Transfer Protocol Secure (HTTPS) was 
invented to provide encrypted communication and secure identification of a 
network web server. Most major Web sites, including Google, Wikipedia, and 
popular social networking platforms such as Facebook and Twitter can also 
be reached via a secure connection, but not necessarily by default. Note that 
most sites do not provide encryption. 


What is the difference between HTTP and HTTPS? Meet Sacha and John: 

Saoha uses HTTP 
to browse the web 
His data isn't 
protected end to 
end and can be 
recorded and 
accesed any- 
where between 
his computer 
and the web 


John uses HTTPS to 

browse the web 

His data is protected 

end to end and can 

also be recorded 

tiyf appears as 

gafbis to any 


between his 

computer and 

the web. 

In this section will discuss several safety measures: how to Install FIrefox, 
how to extend FIrefox with add-ons to ensure safer browsing, and how to 
finder safer routes through TOR, proxy settings and FoxyProxy. 


Installing Firefoxon Ubuntu 

Firefox is already installed on Ubuntu as part of the normal installation. If you 
want to install a different (most commonly newer) version of Firefox on your 
Ubuntu system (or other GNU/Linux systems) that is also possible and is 
explained below. 

Accessing it is easy. If you are using an installation of Ubuntu with no changes 
to the default Desktop, select /4pp/;cat/ons > Internet > Firefox Web Browser. 

^3 Applications Places 


pljj^ Accessories ► 
[^ Games ► 
^(S« Graphics ► 


^^ Internet ► 

El. Ekiga Softphone 

H Office ► 
HQ Sound & Video ► 

Q Evolution Mail 

■K Firefox Web Browser 

^J Add/Rernove... 

^ Gaim Internet Messenger 

E" gFTP 

^a. Terminal Server Client 

Firefox starts and a welcome window opens: 

£lle Edit ^lew History £oDkmark^ laols Uelp 

^ - 6^ • 1^ ^ ^ I Ll filcii'/AisrVshaiWubuntu-artwcrli/hqme > | ^j 'j 

^GeaSng Started BjLstest BBC Hescriines 


•O ubuntu 

Welcome to Ubuntu 7.04, Feisty 

The Ubuntu project is built on the Ideds enshrined in the 

Ubuntu philosoDhv : that software should be available free 
of charge, that software tools should be usable by people 


If you want to upgrade the version of Firefox included with Ubuntu to the 
latest version, such as a beta version or a new stable version, replacing your 
existing version, a detailed guide is available on the U buntu wil<i at 


Installing on Mac OS X 

1. To download Firefox, visit and click on the big 
green button labeled "Firefox Free Download.", and the download starts. 
If it does not start automattically, click the link on the page. 

Mo7illa I Firefox: web browser & Thunderbird email di 


2. When prompted, click OK. 


Opening Firefox 4.0.1.dmg 

Vou have chosen to open 
!j Firefox 4.a.l.dmg 

which is a: DMG file 

from : hup: / /www.mi 

What shojld Firefox do with this file? 

O Open with [ ^Choose.. .J 
@ Save File 

Q] Do thii automatically for files like this from now on. 

( Cancei "^ ( OK > 

Once the download is complete a window similar to this appears: 

I Firefox 

3. click and hold the Firefox Icon, then drag it on top of the Applications 
icon. When it is on top of the Applications icon, release the mouse 
button. This starts copying the program files to the Applications 
directory on your computer 

4. When the installation step is finished, close the two small Firefox 

5. Eject the Firefox disk image. If this does not work by normal means, 
select the disk image icon and then, in the Finder menu, select f;7e > 
f/ect Firefox. 


6. Now, open the Applications directory and drag the Firefox icon to the 

7. Click either icon (in the Dock or the Applications folder) to start Firefox. 
The Import Wizard dialog box appears: 


Import Wizard 


Import Settings and Dam 


Import Preferences, Bookmarks, History, Passwords and other data 

Q Safari 

( Cancel J 

(^ Co Back ) ►^nntimje 1 

To import your bookmarks, passwords and other data from Safari, click 
Continue. If you don't want to import anything, just select Cancel. 


9. Click Continue. Now you see the Welcome to Firefox page. 

Welcome to Firefox 4 

<)*■ \ I® http://wvw.m<;^illd.i:om/en-JS/hrefQx/4,0,l/:vha 

n?l ( r'l- Googte 


8^ mozilla 
J Firefox 

Made by a global non-profit dedicated to shaping the 
future of the Web for the public good. Leam more » 



Step 2: 



] [*J i." "". 


^ ifoi'ti the parhj » 

Go Mobile. Plan Spark'. « 

To learn basic information about Firefox, click Getting 


For assistance, click Visit Support. 

To customize your new installation using the addons 

wizard, click Customize Now! 

In the upper right of the Welcome page is a button 

labeled Know your rights. Click this button to display 

the following screen, which tells you about your rights 

under the Mozilla Public License and provides links to 

Mozilla's privacy policies and service terms, as well as 

trademark information. 

About Your Rights 

htozilb fuciat is Fret and apen source- iDFtwart, built bv a 

rv 4if thGuiandi fram all dvef th« vrarld. ThErc j.rE a Few tilings, v^u i 

■ Flrtfox ii mdde iMilJWe TO yo« undtr the icffYhi <>f the Muziiia Public Lieerii^ , T?iii rnaa^iyou rtMym. copy intHl inntiui* Firefox to CHhrtfs . 
T(Mj vt jlio wfkorn* TO modi^ ih« vi\M^ tod* njf FIi^ixjk a voij iMrm m mm y^Hjr n«di, Ttue mohiis mdiic Licenjf iiioqiVEJ rw fff 

fight to dlttribuw ywur modifl^ inVUCnt- 
B U02i||4 does fioc grinr^oit in^ fighitt to (Im Hozi||4 ind Flr(foK (rultmirK; or lO^Oi - Afl(|iI>On4l infommtlon on TradtmirKj rmy tw found 

> Vt\fM.y [Wlicici lor HozpIU's d'oducii lYtar Ik reuid htre . 

10. Close the Welcome to Firefox page (click the x in the tab at the top of 
the page). Now you see the Firefox Start page. 

Congratulations, you are now ready to use Firefox! 


Da yM k)v* aM-v»t Shan* ^ouf favwitw ^rd (foomw na^ wwa wMv Cellac&ara: 

If you have permission problems when trying to copy Firefox from the disk 
image to your Applications folder, first try deleting your old Firefox copy, then 

If you're installing a beta and that you want to keep your former Firefox copy, 
first rename your old Firefox copy to something like "Firefox old" and then 
copy the beta to your Applications folder. 


Installing Firefox on Windows 

Firefox requires a computer with a minimum of a 233 MHz processor, running 
Windows 2000 or later. To checl< system requirements for Firefox, go to: 


Download and Install Firefox 

1. Visit the Firefox Download Page at in 
any browser (such as Microsoft Internet Explorer). The download page 
automatically detects the operating system and language on your 
computer and recommends the best edition(s) of Firefox foryou. If you 
want to download Firefox for a different language or for a different 
operating system than the one detected, click "Other Systems and 
Languages" to see a list of all the others available. 






Made to make the 
Web a better place. 

a new super even more 

look speed awesomeness 

Get Firefox on youi phone! 

2. Click the download button and the setup file will begin to download to 
your computer. Once the download completes, it is recommended that 
you exit all your running programs before running the installation. 


3. Double-click the file to start the FIrefox Install wizard. 

o If you are running Windows Vista, you may get a User 

Account Control prompt. In this case, allow the setup 

to run by clicking Continue. 
o If you are running Windows 7, you will be asked 

whether to allow FIrefox to make changes to your 

computer. Click on Yes. 

A welcome screen appears. 

4. Click Next to continue. The Setup Type screen appears. A "Standard" 
setup is selected by default (using the custom option is only 
recommended for experienced users). 

'^ Mozilla Firefox Setup 

Seti^j Type 

Choose setup options 


Choose the type of setup you preferr ttien dick Nest. 

#) Standard 

Firefox will be installed with the most common options, 

© Custom 

Vou may choose individual options to be installed, Recommended for experienced 


Next > 



5. Firefox installs itself as your default browser. If you do not want Firefox 
to be your default browser, clear the check box Use Firefox as my 
default web browser. 

'^ Mozills Setjp^^^^^^^^^^H 


l-i \m£2^ 

Ready to st^rt instBlling Firefox ^^^Hf 

FirefoM will be installed to the following location: 

CiV^rogram FilesV^ozilla Firetbx 

IV] Use Firefox as my default web browser 
Click Install to continue. 





1 [ Cancel 

6. Click Next. 


Firefox asks whether to import the settings, like bookmarks, from other 
browsers. Select the browseryou are currently using, then click on 

Import Vfaard ^^^^^^^^^^^^^^ Ife^^l 

Import Settings and Data J|^^ 

Import Options, Bookmarks, History, Passwords and other data from; 

!■!)! Microsoft Internet Explorer! 
Q Don't import anything 





Firefox will confirm you have imported the setting and continue the 
installation. Click on Continue. Once Firefox has been installed, click 
Finish to close the setup wizard. 

; VS Mozilla Firefox Setup 

Completing the Mozikia Firefox 

Setup Wizard 

Mozilla Firefox has been installed on your computer, 
Click Finish to dose this wizard, 

[71 Launch Firefox now 


"l ^^^ r 


If the Launch Firefox now check box is checked, Firefox will start afteryou 
click Finish. 

Windows Vista Users: 

If at any time throughout the installation process you are prompted with a 
User Account Control (UAC) window, press Continue, Allow, or Accept. 


If you have problems starting Firefox, see 
http://support. mozilla. com/kb/Firefox+will+not+start 


Protecting your internet passwords 

Firefox can rememberyour internet passwords. This can be a very convenient 
option to use with all those different sites requiring passwords nowadays. 
However, if you use this function you have to set a master password, 
otherwise this feature is a real security threat. To enable a master password 
open your Firefox preferences and select the security icon. Check the "use a 
master password" box. 












a ^ 

Advanced | 

Warn me when sites try to install add-ons (^Exceptions. ..J 

H Block reported attack sites 
M Block reported web forgeries 


M Remember passwords for sites t Exceptions.. .J 

H Llse a master password ( ^Change Master Password.. .J 

( ^Saved Passwords.. .J 

Warning Messages 

Clioose which warning messages you want lo see wliile browsing the web rSGttmgs...^ 

After launching Firefox is will ask you once for the master password, after that 
the internet password keyring will be unlocked. If the internet password 
keyring is unlocked, you can inspect all saved passwords in the Preferences -> 
Security -> "Saved Passwords ..." dialog. If you browse to a known website 
with a login form, the password is entered automatically. 


Please note that at the time of this writing the 
implementation of Firefox' internet password keyring is not 
complete, as it is not locked automatically after a certain 
time of inactivity or before closing your laptop lid. If you 
want Firefox to lock your internet password keyring 
automatically after a certain time of you not using your 
computer, you might install the "Master Password 
Timeout" Plugin. 


Extending Firefox 

when you first download and install Firefox, it can handle 
basic browser tasks immediately. You can also add extra 
capabilities or change the way Firefox behaves by installing 
add-ons, small additions that extend Firefox's power. 

Firefox extensions can pimp your browser, but they can also collect and 
transmit information about you. Before you install any add-on, keep in mind 
to choose add-ons from trusted sources. Otherwise, an add-on might share 
information about you without your knowing, keep a record on the sites you 
have visited, or even harm your computer. 

There are several kinds of add-ons: 

• Extensions add functionality to Firefox 

• Themes change the appearance of Firefox. 

• Plugins help Firefox handle things it normally can't process (i.e. Flash 
movies, Java applications). 

For the topics covered in this book we are only going to need extensions. We 
will look at some add-ons that are particularly relevant for dealing with 
Internet security. The variety of available extensions is enormous. You can add 
dictionaries for different languages, track the weather in other countries, get 
suggestions for Web sites that are similar to the one you are currently 
viewing, and much more. Firefox keeps a list of current extensions on its site 
(, or you can browse them by category at 


Caution: We recommend that you never install an add-on 
for Firefox unless it is available from the Firefox add-on 
pages. You should also never install Firefox unless you get 
the installation files from a trusted source. It is important 
to note that using Firefox on someone else's computer or 
in an Internet caf increases your potential vulnerability. 
Know that you can take Firefox on a CD or USB-stick 
(check our chapter on that issue). 

While no tool can protect you completely against all threats to your online 
privacy and security, the Firefox extensions described in this chapter can 
significantly reduce your exposure to the most common ones, and increase 
your chances of remaining anonymous. 


HTTPS Everywhere 

HTTP is considered unsafe, because communication is transmitted in plain 
text. Many sites on the Web offer some support for encryption over HTTPS, 
but make it difficult to use. For instance, they may connect you to HTTP by 
default, even when HTTPS is available, or they may fill encrypted pages with 
links that go back to the unencrypted site. The HTTPS Everywhere extension 
fixes these problems by rewriting all requests to these sites to HTTPS. 
Although the extension is called "HTTPS Everywhere", it only activates HTTPS 
on a particular list of sites and can only use HTTPS on sites that have chosen 
to support it. It cannot make your connection to a site secure if that site does 
not offer HTTPS as an option. 

wnat (s the ditfefence between HTTP and HTTPS? Meet Sacha and John: 

Sacha uses HTTP 
to browse the web 
His data isn't 
protected end to 
end and can be 
recorded and 
accesed any- 
where between 
his ccunputer 
and the web 


Jofin uses HTTPS to 

browse the web 

His data is protected 

end to end and can 

also be recorded 

but appears ss 

garble lo any 


between his 

computer and 

the web. 

Please note that some of those sites still include a lot of content, such as 
images or icons, from third party domains that is not available over HTTPS. As 
always, if the browser's lock icon is broken or carries an exclamation mark, 
you may remain vulnerable to some adversaries that use active attacks or 
traffic analysis. However, the effort required to monitor your browsing 
should still be usefully increased. 

Some Web sites (such as Gmail) provide HTTPS support automatically, but 
using HTTPS Everywhere will also protect you from SSL-stripping attacks, in 
which an attacker hides the HTTPS version of the site from your computer if 
you initially try to access the HTTP version. 

Additional information can be found at: 



First, download the HTTPS Everywhere extension from the official Web site: 

Select the newest release. In the example below, version 0.9.4 of HTTPS 
Everywhere was used. (A newer version may be available now.) 


I ^ HTTPS Everywhere | Electronic Frontier ... J ^^ 
^ J . I ^^^j^j^j^^^ https;//www,eff,org/https- everywhere ' 



' Clla- GmjteP l-friiD' 

https:// p 

In an ide 
from req 

Firefox prevented this site [] from 
asking you to install software on your 



loScript, and to support coi 
rPS without breaking anyth 

UrfortLnately, there's no vi 

you get from requesting h] 

the only way to switch every page to https is to fetch the page insecurely f rst. There is a Chrt 

Enforcer which attempts to take that approach, but it does not appear to be implemented sec 

seerrved to always use http before https, which means that your surfing habits and authentica' 

j|;(this may be a limitation of the Ctirome Extensions framework}, 1 


HTTPS Everywhere is licensed under the GNU General Public License, version 2 or later. To 1 
deveiopment page . 


55,82 KB 




188,9 KB 



56,18 KB 


5,66 KB 

Click on "Allow". You will then have to restart Firefox by clicking on the 
"Restart Now" button. HTTPS Everywhere is now installed. 


https:/; f : 

In an ide;. 

[^ HTTPS Eveiywheie | Electronic Fiontiei ... |k^ 



HTTPS-Everywhere will bein&talled after you 
restart Firefox, 

Restart Mow jt 

JoScript, and to support co[ 
rPS wlttioLt breaking anyth 

Unfortunately, there's no w 

from requesting https:/ is the same as what you get from requesting h] 
the only way to switch e/efy page to https is to fetch the page insecurely f rst. There is a Chrt 
Enforcer which attempts to take that approach, but it does not appear to be implemented sec 

seemed to always use http before https. which means that your surfing habits and authentica 
(this may be a limitation of the Chrome Extensions frameworl<}. 


HTTPS Everywhere is licensed under the GNU General Public License, version 2 or later. To i 
development page . 



http s -evervwhere-0.9.4.xpi 



55.82 KB 
188.9 KB 
56.18 KB 
5.66 KB 

^ L 


To access the HTTPS Everywhere settings panel In Firefox 4 (Linux), click on 
the Firefox menu at the top left on your screen and then select Add-ons 
Manager. (Note that in different versions of Firefox and different operating 
systems, the Add-ons Manager may be located In different places In the 


I 4 Add-ons N^nager 



♦ ♦ 


Search aii add-cn^ 

HTTPS-Everywhere 0.9.4 

En crypt the Web ! ... More , Options , , Disable , , Remove 


click on the Options button. 

HTTPS Everywhere Preference! 


Whiichi H 1 1 PS redirection rule^ should applyr 

□ Amazon (buggy) [3 Amazon 5.3 


|2l CDT 

|r| CiscQ (testing} 

la DropbtH E] DuckDudtGo 


E] Evernote 

E Faceboot 

O fBcebook^- (may break appsj [7] Gentoo 

E GitHub 


E Google APIs 

M\ GoogfeSearch [7] GoogleServices 

E Hotmail /Live 

E Identica 

E Ixquick 

El Mail, com |Vl Meebo 

E Microsoft 

E Mozilla 

E NLOverheid 

m Noisebridge g] NVTimes 

S PayPal 

[7] Scroogle 

\7\ Torproject 

\7\ Twitter \7\ WashingtonPost 

E Wikipedia 


E Zoho 

Vou can learn how to write your own rulesets (to atjd support f 

or other web sites) h_ 


1 OisableAII | 

1 ™ 1 

EnableAll | | Cancel | 

A list of all supported Web sites where HTTPS redirection rules should be 
applied will be displayed. If you have problems with a specific redirection 
rule, you can uncheck it here, in that case, HTTPS Everywhere will no longer 
modify your connections to that specific site. 



Once enabled and configured, HTTPS Everywhere is very easy and transparent 
to use. Type an insecure HTTP URL (for example, 


I Mozilla RiEfoK Start Page |^^ 

^^J^l http;//wwrw,gt>o-gle,ct>m/ 

el [a-Goog[ep1 |#||B-| 


Search a^^=™=«J ^'^^^ 


If 5 easy to customize your Firefoji: exa ctly th e way 
you want it. Chooaefrom thousands of add-ons.. 

(^ Restore Pievious Session 

About MdzIIIb 

Press Enter. You will be automatically redirected to the secure HTTPS 
encrypted Web site (in this example: No other 
action is needed. 










,4-j^ I^EBB 

^^*mps;//encrypted,got>gle,ct>m7^N - " ^ G? SI 

^ Google 



^^s^^ ^^ 


' a SSL 



o: ^t. 


Go to classic Google. 

3iy ^v 


Attvanceri sea 

Advertising Progran 


Google Search 

I'm Feeling Lucky 


Learn more about searching on Google 

ns Business Solutions About Google 
©2011 -Privacy 

with SSL. 

<■ 1 


If networks block HTTPS 

Your network operator may decide to block the secure versions of Web sites 
in order to increase its ability to spy on what you do. In such cases, HTTPS 
Everywhere could prevent you from using these sites because it forces your 
browser to use only the secure version of these sites, never the insecure 
version. (For example, we heard about an airport Wi-Fi network where all 
HTTP connections were permitted, but not HTTPS connections. Perhaps the 
Wi-Fi operators were interested in watching what users did. At that airport, 
users with HTTPS Everywhere were not able to use certain Web sites unless 
they temporarily disabled HTTPS Everywhere.) 

In this scenario, you might choose to use HTTPS Everywhere together with a 
circumvention technology such as Tor or a VPN in order to bypass the 
network's blocking of secure access to Web sites. 


Adding support for additional sites in HTTPS Everywhere 

You can add your own rules to the HTTPS Everywhere add-on for your favorite 
Web sites. You can find out how to do that at: 
everywhere/rulesets. The benefit of adding rules is that they teach HTTPS 
Everywhere how to ensure that your access to these sites is secure. But 
remember: HTTPS Everywhere does not allow you to access sites securely 
unless the site operators have already chosen to make their sites available 
through HTTPS. If a site does not support HTTPS, there is no benefit to adding 
a ruleset for it. 

If you are managing a Web site and have made an HTTPS version of the site 
available, a good practice would be to submit your Web site to the official 
HTTPS Everywhere release. 

Adblock Plus 

Adblock Plus ( is mainly known for blocking 
advertisements on websites. But it also can be used to block other content 
that may try to track you. To keep current with the latest threats, Adblock 
Plus relies on blacklists maintained by volunteers. 

Extra Geek info: How does Adblock Plus block addresses? 

^^^_^ The hard work here is actually done by Gecko, the engine 

^^V^^^ on top of which Firefox, Thunderbird and other 
^^■^^H applications are built. It allows something called "content 
^^^^^V policies". A content policy is simply a JavaScript (or C++) 
^^^^ object that gets called whenever the browser needs to load 
something. It can then look at the address that should be 
loaded and some other data and decide whether it should 
be allowed. There is a number of built-in content policies 
(when you define which sites shouldn't be allowed to load images in Firefox 
or SeaMonkey, you are actually configuring one of these built-in content 
policies) and any extension can register one. So all that Adblock Plus has to do 
is to register its content policy, other than that there is only application logic 
to decide which addresses to block and user interface code to allow 
configuration of filters. 

Getting started with Adblock Plus 

Once you have Firefox installed: 

1. Download the latest version of Adblock Plus from the Add-On database 
of Firefox 


2. Confirm that your want Adblock Plus by clicking "Install Now". 

3. After Adblock Plus has been installed, Firefox will ask to restart. 

Choosing a filter subscription 

Adblock Plus by itself doesn't do anything. It can see each element that a Web 
site attempts to load, but it doesn't know which ones should be blocked. This 
is what Adblock's filters are for. After restarting Firefox, you will be asked to 
choose a filter subscription (free). 

^ ;'> I D chrpme://adblpckplus/cpnteniyui/subscriptipnSe "''" "'^ | ^f - Google P \ -ft ^ '■ E' ! 

Adblock Pluswill be most effective if you add a filter subscription. Filter subscriptions are provided by other 
Adblock Plus users free of charge. The most suitable subscription for your language is already selected. 

Please choose a filter subscription from the listi 


Visit home page 

Add a diffecent subscription 

Add subscription I 


Which filter subscription should you choose? Adblock Plus offers a few in its 
dropdown menu and you may wish to learn about the strengths of each. A 
good filter to start protecting your privacy is EasyList (also available at 

As tempting as it may seem, don't add as many subscriptions as you can get, 
since some may overlap, resulting in unexpected outcomes. EasyList (mainly 
targeted at English-language sites) works well with other EasyList extensions 
(such as region-specific lists like RuAdList or thematic lists like EasyPrivacy). 
But it collides with Fanboy's List (another list with main focus on English- 
language sites). 

You can always change your filter subscriptions at any time within 
preferences. Once you've made your changes, click OK. 


Creating personalized filters 

AdBlock Plus also lets you create your own filters, If you are so inclined. To 
add a filter, start with Adblock Plus preferences and click on "Add Filter" at the 
bottom left corner of the window. Personalized filters may not replace the 
benefits of well-maintained blacklists like EasyList, but they're very useful for 
blocking specific content that isn't covered in the public lists. For example, if 
you wanted to prevent interaction with Facebook from other Web sites, you 
could add the following filter: 

I I facebook.*$domain=~f I ~127. 0.0. 1 

The first part (||facebook.*) will initially block everything coming from 
Facebook's domain. The second part ($|-l27.0.0.l) is 
an exception that tells the filter to allow Facebook requests only when you 
are in Facebook or if the Facebook requests come from 127. 0.0.1 (your own 
computer) in order to keep certain features of Facebook working. 

A guide on how to create your own Adblock Plus filters can be found at 

Enabling and disabling AdBlock Plus for specific elements or 
Web sites 

You can see the elements identified by AdBlock Plus by clicking on the ABP 
icon in your browser (usually next to the search bar) and selecting "Open ,ajfc. 
blockable items". A window at the bottom of your browser will let you Wp 
enable or disable each element on a case-by-case basis. Alternatively, 
you can disable AdBlock Plus for a specific domain or page by clicking on the 
ABP icon and ticking the option "Disable on [domain name]" or "Disable on 
this page only". 


The NoScript extension takes browser protection further by globally blocking 
all JavaScript, Java and other executable content that could load from a Web 
site and run on your computer. To tell NoScript to ignore specific sites, you 
need to add them to a whitelist. This may sound tedious, but NoScript does a 
good job in protecting Internet users from several threats such as cross-site 
scripting (when attackers place malicious code from one site in another site) 
and clickjacking (when clicking on an innocuous object on a page reveals 
confidential information or allows the attacker to take control of your 
computer). To get NoScript, visit or 


The same method by which NoScript protects you can alter the appearance 
and functionality of good Web pages, too. Luckily, you can adjust how 
NoScript treats individual pages or Web sites manually - it is up to you to find 
the right balance between convenience and security. 


Getting started with NoScript 

1. Co to the NoScript download section at Click 
on the green "INSTALL" button. 

2. Confirm that you want NoScript by clicking "Install Now". 

I 4t Add-on; Manager 

i a* I 



© ' Ficrectipt 

Name Last Updated Best match' 
Search: My Add-ons ^^^^^^^^^^^S 

/C\ Nn<:rrint J.O.q.B 


^ff' ^. Downloading ©I 

iMaCrOS for Fire... W=dn„d,y, February 09 mi 
Automate FirefoK, Record and replay repetitio.,. More ^"^^1^ 

Shareaholic - Share ... 2.2.0 f ■J=y.D="'^i'='"^tii" 

Shareaholic lithe easlertway to ihare Interes... Mere Iri^^ll 

BeefTacotTargete... 1.3.3 Monday, Februa^, 07, 2011 

Sets permanent opt-out cookies to stop beha... More ^ri^^ll 

Integrated Gmail 2.6.11 Wedn„d,y. January 26 mi 

nm^il 4. I^fifinlo r^lonHar 4. Hrinnlo Ro^rlor 4. Mnrp Install 


3. Restart your browser when asked. 

I (g) Mozilla Firefox Start Page 



^ Add-on5 Manager 

La rt Updated 

Search: My Add-ons ^JlllBIBJBiBI^ 

J NoScript will be installed after von restart „ , , , 

*^ r- f Restart now Undo 

^ NoScript W^dnEsday, February 23, mi 

^^^ Extra protection for your Firefox: No Script allows JavaScript^ Jav... More 

iMacros for Fire... w=dn„d,),,F=b,u,ryD<),fflii 

Automate FirefoK. Record and replay repetiti... More 1"'^^^^ 

Shareaholk - Share ... 2.2.0 Fr>J=y, December 17, 2010 

Shareaholic i^the ea^ie^t way to ^hare interes... More In^^H 

Beef Taco aargete... 1.3.3 Monday, Fsbruar, 07 2011 

Sets permanent opt-out cookies to stop beh... Mere ^ri^^ll 

Intearated Gmail 2.6.11 w=dn«d,y,j,nu,ry26,fflii . 

NoScript notifications and adding Web sites to your whitelist 

Once restarted, your browser will have a NoScript icon at the bottom right 
corner, where the status bar is, indicating what level of permission the 
current Web site has to execute content on your PC. 

® Full protection: scripts are blocked for the current site and its 

subframes. Even if some of the script sources imported by the page are 

in your whitelist, code won't run (the hosting documents are not 


® Very restricted: the main site is still forbidden, but some pieces (such 

as frames) are allowed. In this case, some code may be running, but the 

page is unlikely to work correctly because its main script source is still 


S Limited permissions: scripts are allowed for the main document, but 

other active elements, or script sources imported by the page, are not 

allowed. This happens when there are multiple frames on a page or 

script elements that link to code hosted on other platforms. 

~ii (Mostly trusted: all the script sources for the page are allowed, but 

some embedded content (such as frames) are blocked. 

9 Selective protection: scripts are allowed for some U RLs. All the others 

are marked as untrusted. 


• §J All scripts are allowed for the current site. 

• S'' Scripts are allowed globally, however content marked as untrusted 
will not be loaded. 

To add a site that you trust to your whitelist, click on the NoScript icon and 

• "Allow [domain name]" to allow all scripts that are hosted under a 
specific domain name, or 

• "Allow all this page" to allow complete script execution - including third 
party scripts that may be hosted elsewhere, but are imported by the 
main Web site. 

(You can also use the "Temporarily allow" options to allow content loading 
only for the current browsing session. This is useful for people who intend to 
visit a site just once, and who want to keep their whitelist at a manageable 

Facebook helps you connect and share with 
the people in your life. 




About NoStnpt,,, 


Allow Scripts Globally [dangerous) 

Allow all thi^ page 

lejnpcTDJilj'oIioir oil ih[^ page 


Allow fbtdn, net 

Tempj^rarily atioiv 

Allow tacebookjjom 

Temporanli, allow face 

Alternatively, you can add domain names directly to the whitelist by clicking 
on the NoScript button, selecting Options and then clicking on the Whitelist 


WoScrrpt Options 

General | Whitelist | Embeddings Appearance Notifications Advanced 

You can specify which web sites are allowed to execute scripts, Type the address or the 
domain (e.g. "" or ""] of the site you want to allow and then 
click Allow. 

Address of web site; 


rrvcn rnrn 

Remove Selected Sites 

RevokeTemporary Permissions 





Marking content as untrusted 

If you want to permanently prevent scripts from loading on a particular Web 
site, you can mark It as untrusted: just click the NoScript icon, open the 
"Untrusted" menu and select "Mark [domain name] as Untrusted". NoScript 
will rememberyour choice, even if the "Allow Scripts Globally" option is 

Other extensions that can improve your security 

Below is a short list of extensions that are not covered in this book but are 
helpful to further protect you. 

K^« Flagfox - puts a flag in the location bar telling you where the server you 
Ir^are visiting is most probably located, 
U S/fi refox/addon/flagfox/ 

1 BetterPrivacy - manages "cookies" used to track you while visiting 
websites. Cookies are small bits of information stored in your browser. 
Some of them are used to track the sites you are visiting by advertisers. 


ft.q GoogleSharing- If you are worried that google knows your search 

history, this extension will help you prevent that. 


Proxy Settings and Foxy Proxy 

A proxy server allows you to reach a Web site or other 
Internet location even when direct access is blocked in 
your country or by your ISP. There are many different kinds 
of proxies, including: 

• Web proxies, which only require that you know the proxy Web site's 
address. A Web proxy URL may look like 

• HTTP proxies, which require that you modify your Browser settings. 
HTTP proxies only work for Web content. You may get the information 
about a HTTP proxy in the format "" or 

• SOCKS proxies, which also require that you modify your Browser 
settings. SOCKS proxies work for many different Internet applications, 
including e-mail and instant messaging tools. The SOCKS proxy 
information looks just like HTTP proxy information. 

You can use a Web proxy directly without any configuration by typing in the 
URL. The HTTP and SOCKS proxies, however, have to be configured in your 
Web browser. 

Default Firefox proxy configuration 

In Firefox 4 you can change the settings for using a proxy you'll have to open 
the Options or Preferences window of Firefox. You can find this in the menu, 
by clicking on the upper left corner of the Window and selecting Options > 
Options. See below. 


[I5^m...nft-';.pf iiritv/pdit/ ^ 

^ Add-ons Manager 

NewTab ► 

^7 Boolcmarks 



p? Start Private Brows-ing 

History ► 


ff/^f . _ fc ^ 

:ing and FoxyPro> 


■ft Add-ons 

Save and continue i 

^ave Page As.,, 



Options 1 

Send Link.., 

He[p ► 

Menu Bar 

1^ Print,,. ► 

i/ 1 Navigation Toolbar 

Web Developer ► 

Bookmarks Toolbar 
Add-on Bar Ctrl-n/ 

Full Screen 

Set Up Sync, 

'Z 1 Tabs on Top 

M B(it 

Toolbar Layouts. 

Go to the Advanced section and open the Network tab. 


'D ft 

p» & 

Gene^el Tabs Content Applications Privacy Security Advanced Sync 

General Network Update] Encryption | 


Configure how Firefox connect:. to thelnternet 

Offline Storage 


Youi cache is currently using 7.6 MB of disk space 

Char Now 

B Override automatic cache management 
Limit cachetc ' 1024' MB of :pace 

W\ Tell me when a website asks to store data for offline use 


The following websites have stored data for offline use; 






Select Settings, click on "Manual proxy configuration" and enter the 
information of the proxy server you want to use. Please remember that HTTP 
proxies and SOCKS proxies work differently and have to be entered in the 
corresponding fields. If there is a colon (:) in your proxy information, that is 
the separator between the proxy address and the port number. Your screen 
should look like this: 

Connection Setting 

Configure ProKJe^ to Accent tlie Internet 

© Noprojj/ 

© Auto -detect proxy settings for this networic 

© Use system proxy settings 

(0) Manual pro>y configuration: 

HTTP Proxy; Port; 
O Lbe this prcmy server for all protocols 

8080 : 

SSL Proxy: 



FTP Proiiy: 



SOCKS Hort; 

© SOCKS v4 Igi SOCKS y5 


NoProjyfor; localhost, 

Example;, .net.n^ 192.16S ,1.0/24 
Automatic proxy configuration URL: 





Afteryou click OK, your configuration will be saved and your Web browser 
will automatically connect through that proxy on all future connections. If 
you get an error message such as, "The proxy server is refusing connections" 
or "Unable to find the proxy server", there is a problem with your proxy 
configuration. In that case, repeat the steps above and select "No proxy" in 
the last screen to deactivate the proxy. 

Foxy Proxy 

FoxyProxy is a freeware add-on for the Firefox Web browser which makes it 
easy to manage many different proxy servers and change between them. For 
details about FoxyProxy, visit 



In Firefox 4 open the Add-ons window. In the pop-up window, type the name 
of the add-on you want to install (in this case "FoxyProxy") in the search box 
on the top right and click Enter. In the search results, you will see two 
different versions of FoxyProxy: Standard and Basic. For a full comparison of 
the two free editions, visit http://getfoxyproxy.0rg/downloads.html#editions, 
but the Basic edition is sufficient for basic circumvention needs. After 
deciding which edition you want, click Install. 


1 <=' 11 [^ 11^1 

J ® Moiilla FirefoK Start Page 

^^^^HmJI^tAdd-on^ Manager x ^^J 


' l«l*l 

W ' [foHypitmy P 


iSEame Last Updated Best match -^ 



Sea re 

FoxyProxy Standard 2.22.5 Thursday. January 20. 2011 

Foj;YPro]fY is an advanced pro]fY management to,,, More In.5tall 



FoxyProxy Basir 1 .R.S 

1 Downloading | 


iMacros for Firefox ^^^-^^^y February 09.2011 

Automate FirefoK, Record and replay repetitious ,,, More Install 


After installation, Firefox should restart and open the Help site of FoxyProxy. 
You want to enable the FoxyProxy quick-start button on Firefox. Head to the 
Firefox menu in the upperleft corner and select Options > Add-on bar. If the 
option is enabled you should see a marker left to the text 'Add-on bar'. Look at 
the example below. 


New Tab 

I* Start Private Bro 


Save Page Ai... 
Send Link,.. 

Full Screen 

Set Up Sync, 

Hlf«gni rtpt-cw-iiritv/w-rit/ X ^ Addons Manager >^ | w Fo}{yPioxy 



■iki Add-oi 





Menu Bar 


Navigation Toolbar 

Bookmarks Toolbar 


Add-on Bar Ctrk/ 


Tabs on Top 

Toolbar Layout.., 

I Add tt> collection 
9 Share this Add-on 

FoxyPmxy Basic is a simple on/off proxy switcher. 

Continue to Download > 

The developer of this add-on asks that you help support its cont 
development by making a small contribution. 

Suggested Contribut 


January 19,3011 


Works with 

Thunderbird 3.0a1pre - 3.3a3pre 


^-Ktx : 15 reviews 



For FoxyProxy to do its job, it needs to know what proxy settings to use. Open 
the configuration window by clicking the icon ® at the bottom right of the 
FIrefox window. The configuration window looks like this: 


Fi^e Help 

Mode; CompEetefy ditsabEe FosyProxy 

I ."I Proxies 1 1;^ Global Settings 



Projy Name 
I Default 

Proxy Notes 

^ M ove Up 

' Move Down I 

^^ Add Mew Proxy 

'Edit Selection 

i^ Copy Selection 

1 DeEete Selection 

^P Please Donate ^ Get FoxyProxy Plus (.^J Buy Proxy Service 

Click on 'Add New Proxy'. In the following window, enter the proxy details in a 
similar way to the default Firefox proxy configuration: 


FoxyPra«y Basic - Prcnty Settings 

\ General I Wi Proxy Details | 
© Direct internet connection (no proxy] 


Manual Prox/ Configuration 

Help I Where are settings for HTTP. SSL FTP. Gopher, and SOCKS? 

Host or IP Address my- proxy. server. provider. org 
DSOCKSproxy? ■'_■ SOCKSv4/4a ■« SOCKSvS 

Q Automatic proxy configuration URL hnp[sy:// ftpc// filec// relatjwc// 


n Eeload the PAC every | 60 minutes 


FT] Notify me about proxy auto-configuration fije loads 

[7] Notify me about proxy auto-configuration file errors 

i^ I # 

Select "Manual Proxy Configuration", enter the host or IP address and the 
port of your proxy in the appropriate fields. Check "SOCKS proxy?" if 
applicable, then click OK. You can add more proxies by repeating the steps 


You can switch among your proxies (or choose not to use a proxy) by rlght- 
cllcklngon the fox icon on the bottom right of your FIrefox window: 

Use projiy "114,127,246.56" for all URLs 

• I Use proxy "Default" for all URLs 
Completely disable FoxyProxy 


U^e Advanced Menus 

To select a proxy server, simply left-click on the proxy you want to use. 


what is Tor? 

Tor is a system intended to enable online anonymity, 
composed of client software and a network of servers 
which can hide information about users' locations and 
other factors which might identify them. Imagine a 
message being wrapped in several layers of protection: 
every server needs to take ofT one layer, thereby 
immediately deleting the sender information of the 
previous server. 

Use of this system makes it more difficult to trace internet traffic to the user, 
including visits to Web sites, online posts, instant messages, and other 
communication forms. It is intended to protect users' personal freedom, 
privacy, and ability to conduct confidential business, by keeping their internet 
activities from being monitored. The software is open-source and the network 
is free of charge to use. 

Like all current low latency anonymity networks, Tor cannot and does not 
attempt to protect against monitoring of traffic at the boundaries of the Tor 
network, i.e., the traffic entering and exiting the network. While Tor does 
provide protection against traffic analysis, it cannot prevent traffic 
confirmation (also called end-to-end correlation) 

A Caution: As Tor does not, and by design cannot, encrypt 
the traffic between an exit node and the target server, any 
exit node is in a position to capture any traffic passing 
through it which does not use end-to-end encryption such 
as TLS. (If your postman is corrupt he might still open the 
envelope and read the content). While this may or may not 
inherently violate the anonymity of the source, if users 
mistake Tor's anonymity for end-to-end encryption they 
may be subject to additional risk of data interception by third parties. So: the 
location of the user remains hidden; however, in some cases content is 
vulnerable for analysis through which also information about the user may be 

Using Tor Browser Bundle 

The Tor Browser Bundle lets you use Tor on Windows, OSX and/or Linux 
without requiring you to configure a Web browser. Even better, it's also a 
portable application that can be run from a USB flash drive, allowing you to 
carry it to any PC without installing it on each computer's hard drive. 


Downloading Tor Browser Bundle 

You can download the Tor Browser Bundle from the Web site 
(, either as a single file (13MB) or a split version 
that is multiple files of 1.4 MB each which may proof easier to download on 
slow connections. 

If the Web site is filtered from where you are, type "tor 
mirrors" in your favorite Web search engine: The results probably include 
some alternative addresses to download the Tor Browser Bundle. 


Caution: When you download Tor Bundle (plain or 
split versions), you should check the signatures of the 
files, especially if you are downloading the files from 
a mirror site. This step ensures that the files have not 
been tampered with. To learn more about signature 
files and how to check them, 


(You can also download the CnuPC software that you will need to 
check the signature here: 

The instructions below refer to installing Tor Browser on Microsoft Windows. 
If you are using a different operating system, refer to the 
website for download links and instructions. 


Installing from a single file 

1. In your Web browser, enter the download URL for Tor Browser: 





History BoolcmarkE T00I& Help 


London: Fri 03:1} ^ 






e « 

Rr^ https://www 

torproj e c.t . org/torbrowse r/ 

Tor Browser Bundle for Windows with Firefox 
(version 1.1.4. 13 MB) 

• English (en-USl ( signature ) 

• '^j^ far) (signature) 

• Deutsch (de) ( signature ) 

• Espanol (es-ES) ( signature ) 
> .^Ji(fa-IR) [ signature ) 

• Francais (1r) ( signature ) 

• Nederlands (nl) ( signature ) 

• Portuques (pt-PTl ( signature ) 

• PycCKHI^ (ru) ( signature ) 

• ifttf ^ (zh-CN) ( signature ) 

2. Click the link foryour language to download the installation file. 

3. On windows double-click the .EXE file you just downloaded. A "7-Zip 
self-extracting archive" window appears. 


4. Choose a folder into which you want to extract the files and click 

Note: You can choose to extract the files directly onto a USB 
key or memory stick if you want to use Tor Browser on 
different computers (for instance on public computers in 
Internet cafs). 

5. When the extraction is completed, open the folder and check that the 
contents match the image below: 

6. To clean up, delete the .EXE file you originally downloaded. 


Installing from split files 

1. In your Web browser, enter the URL for the split version of the Tor 
Browser Bundle (, 
then click the link for your language to get to a page that looks like the 
one for English below: 


Index of /torbrow 

File Edit View Hi&tor/ 

Bookmarks Xools Help sfs London: Fri 03: 

19 S Amsterdam: Fri 04:1 

4a ' - e w^ IS 

r4l htt p5://www.torproj ect.or^orbrowser/di&titor-brow&er-l.l.4_e 

Index of /torbrowser/dist/tor-bro 


Last modifis 


Size Description 

*• Parent Directory 


CJ siqnatures/ 



liaJ tor-browser-l. 1.4 
13 tor-browser-l. 1.4. 
13 tor-browser-l. 1.4 
13 tor-browser-l. 1.4. 
LQ tor-browser-l. 1.4 
3 tor-browser-l. 1.4. 
3 tor-browser-l. 1.4 
3 tor-browser-l. 1.4. 
3 tor-browser-l. 1.4 
3 tor-browser-l. 1.4. 

en -US 

split. pa rtOl.exe 13-Oct-2003 



en -US 

.split. part02.rar U-0ct-2B0S 



en -US 

split. pa rt03.rar 13 -Oct- 2003 



en -US 

.split. part04.rar 13-Oct-2003 



en -US 

split. pa rtOS.rar 13 -Oct- 2003 



en -US 

.split. partoe.rar 13-0ct-2003 



en -US 

split. part07.rar 13-Oct-2003 



en -US 

.split. partOS.rar 13-0ct-2003 



en -US 

split. part09.rar 13-Oct-2003 



en -US 

.split. partlO.rar 13-Oct-2008 



2. Click each file to download it (one ending in ".exe" and nine others 
ending in ".rar"), one after the other, and save them all in one folder on 
your hard- or USB-drive. 


3. Double-click the first part (the file whose name ends in ".exe"). This runs 
a program to gather all the parts together. 

;:? winRAR self-SKtracti^ arcPiiue 


• Press Install button to start extraction. 

t Use Browse button to select the destination folder 
Irom the folders tree. E tan be also entered manually. 

• If tlie destination folder does not exist, it will be 
created automatically before edractioo. 



CesWnaSort folder 

Ins^lflftJon progress 



4. Choose a folder where you want to install the files, and click "Install". 
The program displays messages about its progress while it's running, 
and then quits. 

5. When the extraction is completed, open the folder and check that the 
contents match the image below: 

6. To clean up, delete all the files you originally downloaded. 

Using Tor Browser 

Before you start: 


• close Firefox. If Firefox is installed on your computer, make sure it is 
not currently running. 

• Close Tor. If Tor is already installed on your computer, make sure it is 
not currently running. 

Launch Tor Browser: 

• In the "Tor Browser" folder, double-click "Start Tor Browser". The Tor 
control panel ("Vidalia") opens and Tor starts to connect to the Tor 

When a connection is established, Firefox automatically connects to the 
TorCheck page and then confirms if you are connected to the Tor network. 
This may take some time, depending on the quality of your Internet 


■Tnr? M«/illa Firrin; 


^ AbujlTir Lj TirMdnnH ToOiKhit MnubU... 


Coji;^ratuJatian», You ai*e usiii;s Tor* 

Please fcfcrt^ the Tof website f^ Sfflhef mEoiwali^ii ab^rrt usiag T^r safely. 

T*1 Miy lilt >» klWtTHfH In CA4 Toi Tm'H g^i'^ LtFg JHmTtt 


clwd^twpriifsct.a'g fi Tcr EndUgd 

If you are connected to the Tor network, a green onion icon appears in the 
System Tray on the lower-right-hand corner of your screen: 

Browsing the Web using Tor Browser 

Try viewing a few Web sites, and see whether they display. The sites are likely 
to load more slowly than usual because your connection is being routed 
through several relays. 

If this does not work 

If the onion in the Vidalia Control Panel never turns green or if Firefox opened, 
but displayed a page saying "Sorry. You are not using Tor", as in the image 
below, then you are not using Tor. 


ri<ngTor> MulLUFIrdHii 

ps f/it 'iBn mgtrr gnlimts Tnt 


Soi'i'v. You are not using Tor. 

If you art Bttempd^gtGuse aTorcHtnt, p^asereferto the Tor website and sp-c-cific-aliy 

^ar J? miAi.^,m <^<«c? b? t«: 76 . KS . it) . H 
fltao ii« tiktazkat-LiL iji. clw f-ji ■6'LL.t tug- Ljpt 

rh.jE ■'>zta->i 'id 

. b^ -^i^ Ln.faiii.jcdi:ii 


[hKk.totrit^lecl.ora A To^^faUed 

If you see this message, close Firefox and Tor Browser and then repeat the 
steps above. You can perform this check to ensure that you are using tor, at 
any time by clicking the bookmark button labelled "TorCheck at Xenobite..." in 
the Firefox toolbar. 

If Firefox browser does not launch, another instance of the browser may be 
interfering with Tor Browser To fix this: 

1. Open the Windows Task Manager How you do this depends on how 
your computer is set up. On most systems, you can right-click in the 
Task Bar and then click "Task Manager". 

2. Click the "Processes" tab. 

3. Look for a process in the list named "firefox.exe". 

4. If you find one, select the entry and click "End Process". 

5. Repeat the steps above to launch Tor Browser 

If Tor Browser still doesn't work after two or three tries, Tor may be partly 
blocked by your ISP and you should try using the bridge feature of Tor. 



There are two other projects that bundle Tor and a 


• XeroBank, a bundle of Tor with Firefox 

• OperaTor, a bundle of Tor with Opera 




Introduction to e-mail safety 

E-mail is one of the oldest forms of communication on the 
Internet. We often use it to communicate very personal or 
otherwise sensitive information. It is very important to 
understand why e-mail in its default configuration is not 
secure. In the following chapters we will describe the 
different methods necessary to secure your e-mail against 
known threats. We will also provide you with basic 
knowledge to assess the risks involved in sending and 

receiving e-mail. This section will start by describing the security 

considerations when using e-mail. 

No sender verification: you cannot trust the 'from' address 

Most people do not realize how trivial it is for any person 

on the Internet to forge an e-mail by simply changing the 

identity profile of their own e-mail program. This makes it 

possibly for anyone to send you an e-mail from some 

known e-mail address, pretending to be someone else. This 

can be compared with normal mail; you can write anything 

on the envelope as the return address, and it will still get 

delivered to the recipient (given that the destination 

address is correct). We will describe a method for signing e-mail messages, 

which prevents the possibility of forgery. Signing e-mail messages will be 

explained in the chapter about PGP (Pretty Good Privacy). 

E-mail communications can be tapped, just like telephones 

An e-mail message travels across many Internet servers before it reaches its 
final recipient. Every one of these servers can look into the content of 
messages, including subject, text and attachments. Even if these servers are 
run by trusted infrastructure providers, they may have been compromised by 
hackers or by a rogue employee, or a government agency may seize 
equipment and retrieve your personal communication. 

Unencrypted mail looks like this: 
V V V 


There are two levels of security that protect against such e-mail interception. 
The first one is making sure the connection to your e-mail server is secured by 
an encryption mechanism. The second is by encrypting the message itself, to 
prevent anyone other than the recipient from understanding the content. 
Connection security is covered extensively in this section and in the sections 
about VPN. E-mail encryption is also covered in detail in the chapters about 
using PGP. 

Mail hoaxes, viruses and spam 

More than 80% of all the traffic coming through a typical e- 
mail server on the Internet contains either spam messages, 
viruses or attachments that intend to harm your computer. 
Protection against such hostile e-mails requires keeping 
your software up-to-date and having an attitude of distrust 
toward any e-mail that cannot be properly authenticated. 

Fraudulent mails requesting 'personal information' 

Your internet service provider, your phone company, your bank or any 
reputable institution will never ask you to supply them with your username or 
password. They will also never send you an email or even telephone you and 
ask for confidential information regarding your account or setup. They will 
never require you to visit some website in order to 'fix' something with your 
computer. V^/heneveryou receive such a request, you can be certain that it is 
a malicious attempt by a third-party to steal your account information. Such 
attempts are called 'Phishing attacks' in internet jargon, and are very 
common. Remember, reputable companies are hosting your data and should 
not require any such information from you. 

Unverified mails from organizations or individuals offering you 
a 'service' 

Phishing attacks can come from a wide variety of sources. You may receive 
mails from an organization or an individual who offers to assist you with 
some problem or provide you with some service. For example, you might 
receive an e-mail that looks like it is from the company who makes the anti- 
virus program you to use. The message says that there is an important update 
to their software. They have conveniently attached a handy executable file 
that will automatically fix your software. 


Because the sender of the message cannot be verified, such messages should 
be immediately discarded, as the attached file almost certainly contains a 
virus or hostile program. 

Mails with attachments 

You may receive a message from a friend that contains an attachment. In the 
message, your friend might say that the attachment is a great game, or a 
handy utility, or anything else. Computer systems infected with viruses can 
"hijack" email accounts and send these kinds of messages to everyone in a 
person's address book. The message is not from your friend - it is from a virus 
that has infected your friend's computer system. 

Only open attachments when you have verified the 

sender's address. This applies to attachments of any type, 

not just executable files. Viruses can be contained in 

almost any type of file: videos, images, audio, office 

documents. Running an anti-virus program or a spam filter 

provides some protection against these hostile mails, as 

they will warn you wheneveryou download an infected file "^^^ 

or a trojan. However, you should not count entirely on 

your anti-virus programs or spam filters, because they are only effective 

against threats that they know about. They cannot protect you from threats 

that have not yet been included in their definition files. (That is why it is 

important to keep your anti-virus and anti-spam definition files up to date.) 

The safest approach regarding email attachments is to never open an 
attachment unless you are completely certain that it originates from a 
known, trusted source. 

Compromise by malware 

Even if you have verified all your email and have only opened those 
attachments that you have deemed safe, your computer may still be infected 
by a virus. For example, your friend may have inadvertently sent you a 
document that contains a virus. Malware detection can be difficult, although 
it is usually detected by anti-virus programs (assuming that the definition files 
are current, as described above). Signs of active malware can include: 

• a sudden slowdown of your computer or internet connection 

• strange pop-up messages appearing while using your computer 

• complaints from your internet service provider regarding abuse of your 
account (for example, claiming that you have been sending spam 

If this happens to you, ensure your anti-virus program is up-to-date and then 


thoroughly scan your system. 


Using Thunderbird 

In upcoming sections, we will be using Mozilla's 
Thunderbird e-mail program to show you how to configure 
your e-mail client for maximum security. Similar to 
Mozilla's Firefox browser, Thunderbird has many security 
advantages over its counterparts like Apple Mail and 

Thunderbird is a so-called "mail user agent" (MUA). This is different from web- 
based e-mail services like Google's Gmail. You must install the Thunderbird 
application on your computer. Thunderbird has a nice interface and features 
that enable you to manage multiple mailboxes, organize messages into 
folders, and search through mails easily. 

Thunderbird can be configured to work with your existing e-mail account, 
whether that account is through your Internet Service Provider (such as 
Comcast) or through an web-based email provider (such as Gmail). 

Using Thunderbird has many advantages over using web-based e-mail 
interfaces. These will be discussed in the following chapter. To summarize, 
though, Thunderbird enables much greater privacy and security than web- 
based e-mail services. 

This section provides information on how to install Thunderbird on Windows, 
Mac OS X, and Ubuntu. 

Installing Thunderbird on Windows 

Installing Thunderbird involves two steps: first, download the software and 
then run the installation program. 


1. Use your web browser to visit theTliunderbird download page at This page 
detects your computer's operating system and language, and 
recommends the best version of Thunderbird foryou to use. 

mozilla messaging 

Thunderbird 3.1 

Now with tabs, better search, and eniait archiving, 
It'y easy lo upgrade lo Thunderbird 3.1 


If you want to use Thunderbird in a different language or with a 
different operating system, click the Other Systems and Languages link on 
the right side of the page and select the version that you need. 

2. Click the download button to save the installation program to your 

Opening Tfiunderblrd Setup 3.1.l£xe J 

You have chosen to open 
[■^ Thunderbird Setup 3.1.1.exe 

which is a; Binary File 

from: http;//d own! oad-cdndworks.m 
Would you like to save this file^ 



click the Save button to save the Thunderbird Setup file to your 

3. Close all applications running on your computer. 


4. Find the setup file on your computer (it's usually in the Downloads 
folder or on your desktop) and then double-click it to start the 
installation. The first thing that the installer does is display the 
Welcome to the Mozilla Thunderbird Setup Wizard screen. 

2^ Mozilla Thunderbird Setup 

^ — 1 ^ 1 l..^b;^ 

' 'V "^^F 

^P ^k i 

Welcome to the Mozilla Thunderbird 

[JT A 

Setup Wizard 


This wizard will guide you through the installation of Mozilla 

^^F \w^^ 


^m Y , 

It is recommended that you dose all other applications 

^H \. 

betbre starting Setup. This will make it possible to update 

^H j|^. 

relevant system files without having to reboot your 

^K ^Wk. 



ClidiNextto continue, 

1 Ne](t> 1 Cancel 

Click the Next button to start the installation. If you want to cancel it, 
click the Cancel button. 


The next thing that you see is the Setup Type screen. For most users the 
Standard setup option is good enough for their needs. The Custom 
setup option is recommended for experienced users only. Note that 
Thunderbird installs itself as your default mail application. If you do not 
want this, clear the checkbox labeled Use Thunderbird as my default 
mail application. 

■^ Mozilld Thunderbird Setup^^^^^^^^^^^^^| 


[-1 1-^^ 

SetipType i^'^ 

Choose setup options L_" "H" 

Choose the type of setup you prefer, ttien did: Next. 

1 options. 

Recommended for experienced 

® ^te nija rijj 

Thunderbird will be installed with the most commo 

O Custom 

You may choose individual options to be installed, 

[g] Use Thunderbird as my default mail application 


[ <Bad; 

11 t(ext> 

] Caned 


Click the Next button to continue the installation. 


6. After Thunderbird has been installed, click the Finish button to close the 
setup wizard. 

j^ Mozilla Thundertird Setup 

•^^^^^^ ■ 1^,1^1^ 


Completing the Mozilla Thunderbird 
Setup Wizard 

Moiilla Thunderbird has been installed on your computer. 
Clidi Finish to dose this wizard, 

EtiJ""* l^oiilla Thunderbird now: 

1 < Back 1 Finish j [ Cancel 

If the Launch Mozilla Thunderbird now checkbox is selected, 
Thunderbird starts after it has been installed. 

Installing Thunderbird on Ubuntu 

There are two different procedures for installing Thunderbird on Ubuntu: one 
for version 10.04 or later, and one for earlier versions of Ubuntu. We describe 
both below. 

Thunderbird will not run without the following libraries or packages installed 
on your computer: 

• GTK+ 2.10 or higher 

• GLib 2.12 or higher 

• Pango 1.14 or higher 

• X.Org 1.0 or higher 

Mozilla recommends that a Linux system also has the following libraries or 
packages installed: 

• NetworkManager 0.7 or higher 

• DBus 1.0 or higher 

• HAL 0.5.8 or higher 


• GNOME 2.16 or higher 

Installing Thunderbird on Ubuntu 10.04 or newer 

If you're using Ubuntu 10.04 or newer, the easiest way to install Thunderbird 
is through the Ubuntu Software Center. 

1. Click Ubuntu Software Center under the Applications menu. 

File Edit View Help 

ba . A 

■■^ Provided by Ubuntu 
^n Canonical Partners 
^Partner archive 
^ The Opera web bro. .. 
g Installed Software 

< I > Get Software 

Ubuntu Software Center 



A<:c€ssarle5 EducatJon 



Science & Sound £, Video Themes £, 

Engineering Tweaks 

32475 items available 

2. Type "Thunderbird" in the search box and press the Enter on your 
keyboard. The Ubuntu Software Center finds Thunderbird in its list of 
available software. 

3. Click the Install button. If Thunderbird needs any additional libraries, 
the Ubuntu Software Center alerts you and installs them along with 

You can find the shortcut to start Thunderbird in the Internet option under 
the Applications menu: 


^ Accessories ► 
jI Grapliics ► 

^ Office •• 
'? , Sound & Video •• 
Q System Tools •• 
f^ Ubuntu Software Center 

^ Chromium Web Browser 
^ Ekiga Softphone 
|i • Empathy IM Client 
^ Firefox Web Browser 
^ Google Chrome 
Q Gwibber Social Client 




■5 Skype 

Installing Thunderbird on Mac OS X 

To install Thunderbird on your Mac, follow these steps: 

1. Use your web browser to visit the Thunderbird download page at This page 
detects your computer's operating system and language, and it 
recommends the best version of Thunderbird foryou to use. 

mozilla messastng 

Thunderbird 3.1 

Now with tabs, better search^ and email archiving. 
It's easy to upgrade to ThuTidertiird 3-1 



St cast Nil t« Qrw-Shiair-i & 


2. Download the Thunderbird disk image. When the download is complete, 
the disk image may automatically open and mount a new volume called 

If the volume did not mount automatically, open the Download folder 
and double-click the disk image to mount it. A Finder window appears: 


3. Drag the Thunderbird icon into your Applications folder. You've installed 

4. Optionally, drag the Thunderbird icon from the Applications folder into 
the Dock. Choosing the Thunderbird icon from the Dock lets you quickly 
open Thunderbird from there. 



Note: When you run Thunderbird for the first time, newer versions of Mac OS 
X (10.5 or later) will warn you that the application Thunderbird. app was 
downloaded from the Internet. 

If you downloaded Thunderbird from the Mozilla site, click the Open button. 


"" is an application which 
was downloaded from tlie Internet. Are 
you sure you want to open it? 

rirefox.jpp downloaded tills file today at 9.Z0 AM. 
(?) ( Cancel ) ( Open ) 

Starting Thunderbird for the first time 

Afteryou have installed Thunderbird for the first time you will be guided 
through the configuration of your mail account. These settings are defined by 
your e-mail provider (your Internet Service Provider or web-based e-mail 
service provider). The next chapter describes how to set up your account and 
configure it for maximum security. 


Setting up Thunderbird to use secure 

There is a right (secure) way to configure your connection 
to your provider's mail servers and a wrong (insecure) way. 
The most fundamental aspect of e-mail security is the type 
of connection that you make to your e-mail provider's mail 

Whenever possible, you should connect using the SSL (Secure Socket Layer) 
and TLS (Transport Layer Security) protocols. (STARTTLS, which is another 
option available when configuring an account, is a variation of SSL/ TLS.) 
These protocols prevent your own system (beyond Thunderbird) and any 
points between your system and the mail server from intercepting and 
obtaining your password. SSL/ TLS also prevent eavesdroppers from reading 
the content of your messages. 

These protocols, however, only secure the connection between your 
computer and the mail server. They do not secure the information channel all 
the way to the message recipient. Once the mail servers forward the message 
for delivery, the message may be intercepted and read by points in between 
the mail server and the recipient. 

This is where PGP (Pretty Good Privacy) comes in, which is described in the 
next chapter. 

The first step in establishing e-mail security is a secure connection between 
your system and the mail servers. This chapter describes how to set up your 
e-mail account the right way. 

Configuration requirements 

when you configure an account, Thunderbird attempts to determine (from 
the email account and the account details that you provide) the connection 
parameters to your email provider While Thunderbird knows the connection 
parameters for many email providers, it does not know them all. If the 
parameters are not known to Thunderbird, you will need to provide the 
following information to configure your account: 

• Your username 

• Your password 

• Incoming server: name (such as "imap. example. com")^^ protocol (POP or 
I MAP), port (by default, 110), and security protocol 

• Outgoing server: name (such as ^smtp. example. com")^^ port (by default, 
25), and security protocol 


You should have received this information from your hosting provider. 
Alternatively, you can usually find this information on the support pages on 
the website of your hosting provider. In our example we will be using the 
Gmail server configuration. You can use Thunderbird with your Gmail 
account. To do so, you must change a configuration setting in your account. If 
you are not using a Gmail account, skip the next section. 

Preparing a Gmail account for use with Thunderbird 

Log in to your Gmail account in your browser. Select Settings from options in 
the top right, then go to the tab Forwarding and POP/IMAP. Click Enable 
IMAP and then Save Changes. 

General Labels Accou 

jt Offine 


Tie of vour mall bv creatlnq a filter! 

■■ Add a forwarding address 

Tp: Vou can also forward only so 

POP Download: 

1. Status: POP is enaBled toral 

mail that has arnved since 3/19/09 

Learn more 

EiaOle POP for all mail (even 
Enable POP for mail thai am 
Disable POP 

2. When messages are acc&sse 

mall Itiars already been down loaded} 
vesfnm now on 

d with POP ; keep Google WalFs copy in ttie Inbox 


3. Configure your email client ( 

Conliguration Instructions 

■g Outlook, Eudora, Netscape Mail) 

IMAP Access: 

yfTTTatus: IMZlNe enabled 

(aasas Gui^le Wil firen Ohar clienti 

ang ( @ Enable IMAP ) 


Learn more 

2. Configure ycjr email client { 

Confguratior instructjons 

.g. Outlook, Tfiurderbird, iPhone) 

{ Save Changes } ( Cancel ) 

Configuring Thunderbird to use SSL/TLS 

when you start up Thunderbird for the first time, you will enter a step-by- 
step configuration procedure for setting up your first account. (You can 
invoke the account setup interface any time by selecting File | New | Mail 
Account). On the first screen, you will be asked foryour name, your email- 
address and your password. The value you enter foryour name does not have 
to be your real name. It will be shown to the recipient of your messages. 
Enter the information and click Continue. 


^GetMail • L^Wfite ^AddressBook Ti^ 

Search all messages, ,. =Ctfl+K> 


^ Read messages 

[3f Write a new message 

Your name: 
Email address: 




1 Johnny Cash 

^ Vourname, as shown to others 

1 johnnypgmaiLcom 


^ 1 


E^ Remember password 

' Cancel 1 

1 Continue 


Manage subscriptions 


^ view settings for this account 

On the next screen, Thunderbird will attempt to determine the server names 
based on your email address. This may take some time, and will only work if 
Thunderbird knows the settings for the mail servers foryour email provider. 
In either case you will be presented with a window where you can modify the 
settings. In the example below, Thunderbird has detected the settings 
automatically. You can see the protocol at the right side of the server names. 
This should be either SSL/TLS orSTARTTLS. Otherwise your connection is insecure 
and you should attempt manual setup. 


[^Ge-tMail • |_^ Write ^Address Book Tag- 

Search all messages, ,, •fCtrl+K^ 

SLo cat Folders 

All Folders 
••S^ Local Folders 

Thunderbird Mail - Local Folders 

^ View settings for this account 


Yoljroame: My Name Your name, as shown to others 


Email address: 


Password: "•"" 

Remember password 

Start over 


The following settings were Found From; Mozilla ISP database 

U^ername' test 
Incoming POP 995 




9 ■I' smtps.xs4all.r.l SMTP 465 


Manual Setup... 

Cancel 1 

Create Account; 

When you are finislied, clici< Create account. If Thunderbird could not 
determine your server settings, clicl< on Manual setup to configure the server 
names yourself. 

Manual setup 

Use the Account Settings interface to manually configure accounts in 
Thunderbird. The Account Settings dialog will automatically open if you select 
Manual setup in the configuration wizard. In this case we are only interested 
in the incoming and outgoing mail server names, and the protocol we use to 
connect with them. As you can see in the examples below, we enter the Gmail 
server names and we force them to use SSL, a secure method to connect to 
the servers. 



Server Settings 

Copies & Folders 

Composition & Addressing 

Junk Settings 

Synchronization & Storage 

Return Receipts 

'Local Folders 

Junk Settings 

Disk Space 
Outgoing Server (SMTP) 

Account Actiors 

Server Settings 

Server Name: [ | 

UserName: johnny)@ 

993 : Derault: 993 

S ecurity Settings 

Connection security: 


Authentication method: | Normal password 

Server Settings 
S CKeck For new messages at startup 

B" Check For new messages every | 

When I delete a message: 

d Move it to this Folder: [Trash 

G Just mark it as deleted 

O Remove it immediately 
D Clean up ("Expunge") Inbox on E>Lit 
D Empty Trash on Exit 

Local directory: 

ID „ minutes 


I yhame/dentDir/.thunderbird/Z039whs9.deFaull;/lmapMaiL/mail.gree{ I Browse.. 

O Cancel 

Under 'Server Settings', we will find only the incoming (IMAP) server and its 
settings for that specific account. 


Server Settings 

Copies & Folders 

Composition & Addressing 

Junk Settings 

Synchronization & Storage 

Return Receipts 

''Local Folders 

Junk Settings 

Disk Space 
Outgoing Server (SMTP) 

Account Actions 

Server Settings 

Server Type: IMAP Mail Server 

Server Name: 

User Name: [johnnycash 

593 : Default: 993 

Security Settings 
I Connection security: 


Authentication method: Normal password 

Server Settings 

y Check I'or new messages at startup 

^ Check for new messages every | 

when! delete a message: 

Move it to this folder: I Trash 
O Just mark it as deleted 
O Remove it immediately 

D Clean up ("Expunge") Inbox on Exit 

n Empty Trash on Exit 

10 I j minutes 


Local directory: 

, /home/dentoir/.thunderbird/2039whs9.deFaull^imapMail/mail.gree^ L^gvse^ 

I ©Cancel ^ {^^^j^ 

After Server Name enter the name of the IMAP server, in this case 

As you can see we have selected 'SSL/TLS' under the connection security setting. 
This enforces encryption. Do not be scared by the authentication method 
Normal password. The password will be automatically encrypted due to our 
secured connections to the server. 

Finally, configure the outgoing server for the account. Click on Outgoing 
Server (SMTP) in the left panel. 


^ Get Mail • Li 

l±iJ Jo h n n y iS>g ma 1 L I 

All Folders 
► _Jahinny@>ginall 
•■M^ Local Folders 

■'j ohnny (Jj g ma i I. c on 

Server Settings 

Copies & Folders 

Compositior & Addressinig 


SyRchrorizationS Storage 

Return Receipts 

'Local Folders 

Junk Settings 

Disk Space 
Outgoing Server (SMTP) 



Althoughyou can specify more thar one outgoing server (SMTP), thiiis o 
recommended For advanced users. Setting up multiple SMTP servers can 
errors when sending messages. 

gmail server- (Del^ault) 

Server Name: ^mtp. 

I gmail server 

Security and AJthentlcatlon 
Connection security: | SSL/TI^ 

Authentication method: | Normal password 
User Name: 

[ O cancel I [ ■j^'OK^ 

Account Actions 

O Cancel 

^OK I 

Again, we have selected SSL/TLS under Connection security. The port will 
default to 465 and this should generally not have to be changed. 

Finishing the setup, different encryption methods 

OTest your Thunderbird setup by trying to send and receive 
mails. Some email hosting providers may not support the 
SSL/TLS protocol, which is the preferred choice. You will get 
an error message saying the authentication protocol is not 
supported by the server. You may then switch to using 
STARTTLS instead. In the above two screens, select 
'STARTTLS' under 'Connection security'. If this method also 
fails, contact your email hosting provider and ask them if 
they provide another way to securely connect to their servers. If they do not 
allow you to securely connect to their servers, then you should complain and 
seriously consider switching to a different provider. 

Returning to the configuration screens 

At any time you can reconfigure your email accounts by going to the 
Thunderbird menu bar and clicking Edit | Account Settings (Linux), Tools | 
Account Settings (Windows and Mac OS X). 


Some Additional Security Settings 

Thunderbird provides additional security measures to 
protect you from junk mail, identity theft, viruses (with the 
help of your anti-virus software, of course), intellectual 
property theft, and malicious web sites. 

We will look at the following Thunderbird security features. First a little 
background on why you need to consider some of these measures: 

• Adaptive junk mail controls 

Adaptive junk mail controls allow you to train Thunderbird to identify 
junk email (SPAM) and remove it from your inbox. You can also mark 
messages as junk mail manually if your email provider's system misses 
the junk mail and lets it go through. 

• Integration with anti-virus software 

If your anti-virus software supports Thunderbird, you can use that 
software to quarantine messages that contain viruses or other 
malicious content. If you're wondering what anti-virus software works 
with Thunderbird, you can find a list here: 

• Master password 

Foryour convenience, you can have Thunderbird remember each of 
your individual passwords of your e-mail accounts. You can specify a 
master password that you enter each time you start Thunderbird. This 
will enable Thunderbird to open all your email accounts with your saved 

• Restrictions on cookies 

Some blogs and websites attempt to send cookies (a piece of text that 
stores information from Web sites on your computer) with their RSS 
feeds. These cookies are often used by content providers to provide 
targeted advertising. Thunderbird rejects cookies by default, but you 
can configure Thunderbird to accept some or all cookies. 

In the Security Preferences section of Thunderbird's Options/Preferences 
dialog box you can set up the preferences for these features. 

• In Windows and Mac OS X, go to the 'Tools' menu and click 'Options'. 

• On Ubuntu or other versions of Linux, go to the 'Edit' menu and click 


Junk mail settings 

1. In the Preferences/Options dialog box, click 'Security' and then click the 
'Junk' tab. 




Secufrty Attachments Advanced 

J'Jnk I E-rTV5tt Scams | Anti-Vtrus | Passwords | Web Content | 

Set your default junk mail settings. Account-specific junk mail settings can be configured in 
Account Settings. 

|n| When! mapk messages asjunic 

@ Movethem to the account's "Junk" folder 
Delete them 
n Mafk messages determined to be Junk as read 
n Enablejunkfilter logging [ Show 

R^Kct Trairbtng Daia 

Do the following: 

o To tell Thunderbird that it should handle messages marked as junk, 

select the check box labelled 'When I mark message as junk', 
o To have Thunderbird move these messages to a junk folder, select 

the 'Move them to account's 'Junk' folder' radio button, 
o To have Thunderbird delete junk mail upon receiving it, select the 
'Delete them'radio button. 
Thunderbird will mark junk message as read if you select the check box 
labeled 'Mark messages determined to be Junk as read'. 
If you want to keep a log of junk mail received, select the 'Enable junk 
filter logging' check box. 
Click the 'OK' button to close the 'Options/Preferences' dialog box. 


Scam detection and warning system 

1. In the Preferences/Options dialog box, click 'Security' and then click 
the 'E-mail Scams' tab. 

Options \^£3a4 

General Display Composition SecurSy Attachments Advanced 


Junk E-mail Scams 1 AntL-Viriis | Passwords | Web Content 

Thunderbird can aoaiyze messages for suspected email scams by looking for common techniques 
used to deceive you. 

glTeii me if the message I'm reading is a suspected email scam 

( DK II Cancel 

2. To have Thunderbird warn you about possible email scams, select the 
check box labelled 'Tell me if the message I'm read is a suspected email 
scam'. To turn oflF this feature, deselect this check box. 

3. Click the 'OK' button to close the 'Options/Preferences' dialog box. 


Anti-virus integration 

1. In the Preferences/Options dialog box, click 'Security' and then click the 
'Anti-Virus' tab. 

npfinni 1 S 1 

: U % M A % O 1 

Seneral Display Composition Sectifity Attachments Advanced ' 

Junkl E-mail 5cams Anti-Virus | Passwords] Web Content] 

Thunderbird can mBlte rt easy for anti-virus software to analyze incoming mail messages for viruses 
before tbey ace stored focatly. 

O Allow anti -virus clients to quarantine individual incoming meE&ages 

[ OK 1 1 Cancel | 


2. To turn on anti-virus integration, select the check box labeled 'Allow 
anti-virus clients to quarantine individual incoming messages'. To turn 
off this feature, deselect this check box. 

3. Click the 'OK' button to close the 'Options/Preferences' dialog box. 


Set a master password 

1. In the Preferences/Options dialog box, click 'Security' and then click the 
'Passwords' tab. 



□ ^ ef A d 

General Display CompositJo-n Security Attachments Advanced 

Jiint:|E-mBH3c5ms| Anti-Virus Passwords 

Web Content 1 

Thunderbird car remember pa& 

A Master Password protects all your passv 
n yse 3 master passmrord 

all of youracto 
ords, but you m 


[saved Passwords!,, j 

U5.t enter it once per session. 

1 Change Mas-ter Password.,, 

2. Select the check box labeled 'Use a master password'. 

3. Enteryour password into the 'Enter new password' and 'Re-enter 
password' fields. 


Change Master Password 

A Master Password fs used to protect sensitive information like &ite 
passwords. If you create a Master Password you will be asked to enter it 
once per session when Thunderbird retrieves saved information protected 
by the password. 

Current password; I (not set] 
Enter new password: H 
Re-enter password; 

Password quality meter 


Pte^se make sure you remember the M<a5ter Pdasword you hHire set. If 
yoL forget your Master Passwordj you will be unable to access any <]f 
the informatton protected by it. 



4. Click the 'OK' button to close the Change Master Password dialog box. 


If you want to see the passwords that you have saved in Thunderbird, 
click the 'Saved Passwords' button. This will open the 'Saved Passwords' 
dialog box. 

Q Saved Passwords 

1^1 ^ .1 1 

Search: ^ ■ 

Passwords for the fofiowiri'^ sites are stored on your computer 

Site ■* Username 

imap;.// (imap;./.'''irna.., flo&s.reaclerl©gmx.c... 

i m a p;//i m a p.g (ima... f loss. reader2@gm ail..., 

smtpj//]£.com (smtp://mail.... flosE.readerl@gmM.c... 

smtp;,// (smt... flo&i.reader2@gmail..., 

Remove Remove All 

Show Passwords 

6. To see the passwords, click the 'Show Passwords' button. 

Search; P 

Passwords for the foil owing sites are stored on your computer: 

imap;// floss.readerl^g... thunderbirdi 

imap;//imap.googlem... floss.reader2@g... thunderbirdi 

smtp;//mail. ... flos5.readerl@g... thunderbirdi 

smtp:././smtp.googlem... floss.reader2©g... thunderbirdi 

|.;jEeirnove Remove All 

I Hide Passwords I 

7. Click the 'Close' button to close 'Saved Passwords' dialog box. 

8. Click the 'OK' button to close the 'Options/Preferences' dialog box. 


Adaptive junk mail controls 

You need to first open Account Settings window. Note that settings 
configured in the Account Settings window apply only to the account that 
you select in the Folders pane. You must configure local folders separately. 

1. In the Folders pane right-click on an account name and select 'Settings' 

\\^ Ctt Mail ' ^ Write ^ Address fio 
R ^ floss. re> 


@ tnbj Get Messages 

W Tra| Open 
► g Local F Open in New Tab 

New Fol der... 



2. In Windows or Mac go to the 'Tools' menu and select 'Account Settings', 
In Linux, go to the 'Edit menu' and select 'Account Settings'. 


1. To set adaptive junk mail controls for a specific account, pick an 
account and click 'Junk Settings'. 


Server Settings 

Copies Bi Folde 

id dressing 


Junk Settings 


^ Storage 

Return Receipts 



Server Settings 

Copies Sl Folde 


Composition &Addresiing 

Junk Settings 


Sl Storage 

Return Receipts 


J Local Folders 

Junk Settings 

Disk Space 



^tount Actions 

If enabled, you must first train Thunderbird to identifyjunk mail by using the 
Junktoolbar button to mark messages asjunk or not, YO'U need to idenbfy 
botti junk and nonjunk messages, 

Enable adaptive Junk mail controisfortliis account 

Do not mark mail as junk rf the sender is in 

Q Trust junk mail (readers set by SpamAssa 
FH Move neiwjunk messages to: 

rS) "Junk" folder on; ftoss,reader2@gmafl.c 


sl Folder 

n Automatically delete junk mail olderthan 14 days 

I Cancel j 

2. To turn on the controls, select the check box labeled 'Enable adaptive 
junk mail controls for this account'. To turn them off, deselect this 
check box. 

3. If you want the controls to ignore mail from senders in your Address 
Book, select the check boxes next to any of the listed address books. 

4. To use a mail filter such as SpamAssassin or SpamPal, select the check 
box labelled 'Trust junk mail headers sent by:' and pick a filter from the 

5. Select the check box labeled 'Move new junk messages to' if you want 
to move junk mail to a specified folder. Then select the destination 
folder to be either at your email provider or a local folder on your 

6. Select the 'Automatically delete junk mail other 14 days' check box to 
have Thunderbird regularly remove junk mail. To change the time period 
for this process, enter a different number (in days) in the text box. 

7. Click 'OK' to save your changes. 




Introducing mail encryption (PGP) 

This chapter will introduce you to some basic concepts 
behind mail encryption. It is important to read to get some 
feeling of how mail encryption actually works and what its 
caveats and limitations are. PGP (Pretty Good Privacy) is 
the protocol we shall use for e-mail encryption. This 
protocol allows us to digitally sign and encrypt mail 
messages. It works on an end-to-end basis: messages will 
be encrypted on your own computer and will only be 
decrypted by the recipient of the message. There is no possibility fo 
in-the-middle' to decipher the contents of your encrypted message 
excludes the subject lines and the 'from' and 'to' addresses, which 
unfortunately are not encrypted in this protocol. 

After having introduced these basic concepts, the next chapters will give you 
a hands-on guide to install the necessary tools on your operating system and 
get encryption up and running. We will focus on using Enigmail which is an 
extension forThunderbird that helps you manage PGP encryption foryour 
email. The installation process for Engimail / PG P is different for Mac OSX, 
Windows and Ubuntu so please see the appropriate chapters in this section 
for instructions. 

r a man- 

How dijesGPG work? MeaSacha and John; ^^ 

Sacha writes 
a message 


and encrypts with 
John's public key 

He sends the 
msssage wsryptsfi 
on tottis Bvil world 
wide web ,^-"""--v 



John decr^'pts the 
^^ruessagewith his 
^^^^ private key 

' H*illo 

John reads 
the message 


Using a key-pair to encrypt your mail 

A crucial concept in mail encryption is the usage of so-called key-pairs. A key- 
pair is just two separate files sitting on your harddisk or USB stick. Whenever 
you want to encrypt mails for a certain mail-account, you will need to have 
these files available to yourself in some form. If they are sitting at home on 
your computer, you will not be able to decrypt mail at the office. Putting 
them on a USB stick should provide a solution to this problem. 


A key-pair consists of the two different keys: a public key 
and a secret key. 

The public key: you can give this key to other people, so they can send you 
encrypted mails. This file does not have to be kept secret. 

The secret key: this basically is your secret file to decrypt emails people send 
to you. It should never be given to someone else. 

Sending encrypted mails to other people: you need their 
public key 

I have five colleagues at work and 1 want to send encrypted mails to them. 1 
need to have public keys for each of their addresses. They can sent me these 
keys using ordinary mail, or they can give them to me in person, or put them 
on a USB stick, or they can have their keys on a website. It doesn't matter, as 
long as I can trust those keys really belong to the person I want to correspond 
with. My software puts the keys on my "keyring', so my mail application 
knows how to send them encrypted mails. 

Receiving encrypted mails from other people: they need my 
public key 

For my five (or thirty) colleagues to be able to send me encrypted mails, the 
process goes the other way around. 1 need to distribute my public key to each 
of them. 

Conclusion: encryption requires public key distribution! 

All the people in a network of friends or colleagues wanting to send each 
other encrypted emails, need to distribute their public keys to each other, 
while keeping their secret keys a closely guarded secret. The software 
described in this chapter will help you do this key management. 


Installing PGP on Windows 

To complicate matters a little - PGP is the protocol used for encrypting e-mail 
by various softwares. To get PGP to work with Thunderbird we need to install 
GPG - a free software implementation of PGP and Enigmail - an extension of 
Thunderbird that allows you to use GPG... Confused?! Don't worry about it, all 
you have to know is how to encrypt your email with PGP and you need to 
install both GPG and Enigmail. Here is how to do it... 

Installing PGP (GPG) on Microsoft Windows 

The GNU Privacy Guard (GnuPG) is software which is required to send PGP 
encrypted or signed emails. It is necessary to install this software before 
being able to do any encryption. 

1. Head to the official website of the GnuPG project. Go to 

2. On the left side of the website, you will find a 'Download' link. Click on it. 

3. You will see a lot of text. Scroll down to the section 'Binaries'. You will find 
there a version of GnuPG which it says is 'compiled for MS-Windows'. This 
version will be in the 1.4. something range. Just click on the FTP link next to the 
line that says 'GnuPG 1.4 compiled for Microsoft Windows.' The screen below 
should resemble this section of the website. 


Packages for Debian GNU/Unux me available at the Debian site . 

RPM packages of this software should be available from rpmfind nelwork. 

Packages for other POSIX-IIke operating systems might be available at Unix Security . 

Packages for lUlac OS X should be available at Mac GPG 

Sources and precompiled binanes for RISC OS are available at Stefan Bellon's home page who ported GnuPG to this platform. 

Tiiere is also a version compiled for MS-Windows. Note that this is a command line version and comes with a graphical installer tool. 

GnuPG 1.4.11 complied for Microsoft Windows. B FTP 

Signature and SHA-1 checksum for previous file. FTP 

6311i5129f9iab7d30Z47adeSlicc;790S951eatiiO gnupg-wSZcli-l . 4 . 11 . e«e 

GnuPG distributions are signed It is wise and more secure to ciieck out tor their integrity 

Ityou intend to bulk] GnuPG for the Win32 platform using MinGW, we suggest reading the instructions titled" Building GnuPG for Win32 
using MinGW " wntten by Caho Luciano Bianco. The binary we distnbute has been bull using Debian's mingw32 cross compiler 
package . 

This will download you an .exe file. Depending on your browser, you may have 
to double-click on this downloaded file (which will be called something like 
gnupg-w32cli-l.4.ll.exe) before something happens. Windows will ask you if 
you are sure you want to install this program. Answeryes. 


4. The following installation window should pop-up. 

^ GNU Privacy Guard Setup 

Welcome to the GNU Privacy Guard 
Setup Wizard 

GnuPG is gnu's tool for secure communication and data 
storage, It can be used to encrypt data and to create digital 
signatures, It includes an advanced key management facility 
and is compliant witfi the proposed OpenPGP Internet 
standard as described in RFC-1880, 

Click Ne:<t to continue. 

This is GnuPG version 1.4. 11 
built on 2010-1D-18 10;04Lrn: 
file version 1.4.11,29110 


Please click on the 'Next' button. 

5. The license agreement will be shown as below. Please click on the 'Next' 
button again. 


\^ GNU Privacy Guard Setup 

License y^gisement 

This software is licensed under the terms of tfie GNU General Public License (GPL) 
which guarantees your freedom to share and change Free Software. 

Press Page Down to see the rest of the agreement, 



Version 3, 29 June Z007 

Ccjpyright (C) 2D07 Free Sof^'are Foundation^ Inc. < http:y7f^f.orq/ > 
Everyone is permitted to copy and distribute verbatim copies 
of this license document, but changing it is not aJowed, 


The GNU General Public License is a freer copyleft license for ▼ 

In short: You are allowed to run this softA'are for any purpose, You may distribute it as long 
as you give the recipients the same rights you have received. 

Nullsoft Install System v2, 06 - 


Nent > 


6. The installer will ask you which components you want to install. Just keep 
them all selected and click on the 'Next' button again. 

.\^ GNU Privacy Guard Setup 

Choose Componerts 

Choose which features of GNU Privacy Guard you want to install. 

Check the components you want to install and uncheck the components you dont want to 
install. Click Nest to continue. 

Select components to install: 

Space required; 4.5MB 

Nullsoft Install System v2, 06- 

Position your mouse 
over a component to 
see its description, 

; Back | |~^ 

Next > 


7. Choose an inteiface language. English should be fine. Click 'Next' again. 


(j^ GNU Privacy Guard Setup 

hstdl Options 

GnuPG Language Selection 

en - English 

Nullsoft Install System v2, 06 - 


Next > 


8. The installer will ask you where to put the application on your computer. 
The default setting should be fine in most cases. Click on 'Next' when you 

(3 GNU Privacy Guard Setup 

GiDose Install Loc^ion 

Choose the folder in which tn install GNU Privacy Guard, 

Setup will install GNU Privacy Guard in the following folder. To install in a different folder, dick 
Browse and select another folder, Click. Next to continue. 

Destination Folder 

jUi iiJAiJiLiJiMJi'mmmiiHa 

Space required; 4.9MB 
Space available: SI. 5GB 

Nullsoft Install System v2, 06 - 





9. The installer will ask you how the GnuPG application should be called in the 
start menu. The default name should be fine. Click on 'Next' again. 

i^^-^ GNU Privacy Guard Setup 


Choose 3art Menu Folder 

Choose 3 Start Menu folder for the GNU Privacy Guard shortcuts. 

Select the Start Menu folder in which you would like to create the program's shortcuts. You 
can also enter a name to create a new folder, 


Administrative Tools 




Game Park 


Intel® Matrix Storage Manager 


Microsoft Silverlight 

Mozilla Thunderbird 

l] Do not CTeate shortcuts 
Nullsoft Insliall System v2,06 — 




10. These are all the questions you need to answer. Click 'Install' and the 
installation process will begin. After installation is finished you can click 'Next' 
in the last windows to finish up. You now have GnuPG installed. 

Installing with the Enigmail extension 

After you have successfully installed the PGP software as we described above 
you are now ready to install the Enigmail add-on. 

Enigmail is a Thunderbird add-on that lets you protect the privacy of your 
email conversations. Enigmail is simply an interface that lets you use PGP 
encryption from within Thunderbird. 

Enigmail is based on public-key cryptography. In this method, each individual 
must generate her/his own personal key pair. The first key is known as the 
private key. It is protected by a password or passphrase, guarded and never 
shared with anyone. 

The second key is known as the public key. This key can be shared with any of 
your correspondents. Once you have a correspondent's public key you can 
begin sending encrypted e-mails to this person. Only she will be able to 
decrypt and read your emails, because she is the only person who has access 
to the matching private key. 


Similarly, if you send a copy of your own public l<ey to your e-mail contacts 
and keep the matching private key secret, only you will be able to read 
encrypted messages from those contacts. 

Enigmail also lets you attach digital signatures to your messages. The 
recipient of your message who has a genuine copy of your public key will be 
able to verify that the e-mail comes from you, and that its content was not 
tampered with on the way. Similarly, if you have a correspondent's public key, 
you can verify the digital signatures on her messages. 

Installation steps 

To begin installing Enigmail, perform the following steps: 

Stepl. OpenThunderbird, then Select Tools > Add-ons to activate the Add-ons 
window; the/4c/d-ons window will appear with the default Get Add-ons pane 

Step 2. Enter enigmail in the search bar, like below, and click on the search 


A « 

GetAdd'-ons Exteniions Themes Plugins 


Browse All Add-ans 

EMiG Enigmail 



OpenPGP me^^age encryption and 
authentication for Thunderbird and SeaMonlcey, 

Learn More 

^ Ejdiension 

Add to Thunderbird,,, 


Lcnpard Mail-[>efauH-AqiH ^^^^ '> 

Thistheme isthe skin which can changeyourThunderbird like LeopardMail. 


Step 3. Simply click on the 'Add to Thunderbird' button to start the 

Step 4. Thunderbird will ask you if you are certain you want to install this add- 
on. We trust this application so we should click on the 'Install now' button. 


Software Insta I lation 


Install add-ons only from authors whom you trust. 

Malicious software can damage your computer or violate your privacy. 

You have asked to install the following item: 

?NIG Enigniail (Author m>t vsri^ed) 

^'- httpi;//addons,moiilla,org/thundertjird/download5/file/92940/enigmail-l,l,2-tb-win 

Install [4] Cancel 

Step 5. After some time the installation should be completed and the 
following window should appear. Please click on the 'Restart Thunderbird' 


^ * ;(? fi A 

GetAdd-ons Extensions Themes Plugins Installation 

<i5.' Restart Thunderbird to complete your changes, 

Restart Ttiundeibirii x 


Browse All Add-ons 







OpenPGP message encryption and 
authentication forThunderbird and SeaMonlcey. 

Learn More 


^ Extension Install Complete 



d Mail-Default Ac 

Ilia dddd^tr 



Installing PGP on OSX 

The GNU Privacy Guard (GnuPG) is software which enables 
you to send PGP encrypted or signed emails. It is necessary 
to install this software before being able to do any 
encryption. This chapter covers the installation steps 
required to install GnuPG on Mac OSX. 

Getting started 

For this chapter we assume you have the latest version of: 

• OSX installed (10.6.7) 

• Thunderbird (3.1.10) 

Note on OSX Mail: It is possible to use PGP with the build-in mail 
program of OSX. But we do not recommend this because this option 
relies on a hack of the program which is neither open or supported by 
its developer and breaks with every update of the mail program. So 
unless you really have no other option we advice you to switch to 
Mozilla Thunderbird as your default mail program if you want to use 

Downloading and installing the Software 

For OSX there is a bundle available which will install everythingyou need in 
one installation. You can get it by directing your browser to and clicking on the big blue disk with "Download 
GPGTools Installer" written under it. It will redirect you to another page on where you can actually 
download the software. 

(nb. We are using the latest version Firefox for this manual, so the screens might 
look a little bit different if you are using a different browser) 



('^ ) ^ lU http:/ywvvw.< 

Official Homepage | CPGTqoIb (OperPGP Tools for Apple OS X) 


I m official Homepage 

I GPCJTools (.. 



GPCTools is an open source initiative to bring OpenPCP to Apple OS X in rhie form of an easv installer 

package. This allows you to sign, verify, encrypt, and decrypt files and e-mails. Read the introduction 
to get a detaiied idea of Inow PGP worlc^. 

Tlie project section provides more information about the included applications and related projects. 
And if you have any further questions thai are not listed in the FAQ or if you want to get the latest 
news, please do not hesitate to open the contact section. Finally, if you like you can nnake a donation. 


2. Download the software by choosing 'Save File' and clicking 'OK' In the 



Opening GPGTools-2D110322.dnng 

You have chosen to open 
tl CPCTools-20110322.dmg 

which is a: dmg File 


What should Firefox do with this file? 

COpeiwith Q Choose. ..J 
@Save File 

Q Do this automatical I y for files like this from now on. 

(^ Cancel ) (f 


3. Navigate to the folder where you normally store your downloads (Mostly 
the desktop or the downloads folder surprisingly) en double click the '.DMC 
file to open the virtual disk containing the installer. 

H*! O O [^ Downloads (ZD^ 


4. Open the installer by double-clicking on the icon. 



5. The program will check your computer to see if it can run on the computer. 

(Note, if you're Mac is bought before 2006 it will not have an Intel 
processor required to run this software and the installation will fail. 
Sadly it is beyond the scope op this manual to also take into account 
computers over five year old) 

^ IriEtall CPGTnnIs 

e Introducl 

• Destinatic 

• Installatio 

• Installatio 

• Summary 

Thfs package wjfl run a program to 
determme if the software can be installed. 

To keep your computer secure^ you ihould only run 
prografni or ins tail software from a trusted source. If 
you're not sure about this software's source, click 
Carcel to stop the program and ttie ins; 

(^ Cancel J ((^ Continue J 

fix only) 

Thiswill allow you to use DpenPGPon DSX. 

Note: please close first and have a look at httpi^/ for 
further information. 

( Co Back J ( Continue ) 


You will be guided by the program through the next steps lil<e accepting the 
license agreement. But stop pressing all the OK's and Agrees as soon as you 
come to the 'Installation Type' screen: 

». Install CPCTools 
Standard Install on "Macintosh HD" 

e Introduction 
u Destination Select 
6 Installation Type 
• InitaJlation 
■ Summary 


This will take 43,7 ME of space on your computer. 

Click Instill to perform a standard installation of 
this software on the disk '^Wacinrosh HO". 

( Co Back ) ( Install ) 

6. Clicking 'Customize' will open this screen where you several options of 
programs and software to install. You can click on each one of them to get a 
little bit of information on what is is, what it does and why you might need it. 


». Install CPCTnols 

Custom Install on "Macintosh HD" 

u Introduction 
e Destination Select 
B LnstalJation Typ« 
• InEta'llation 
9 Summary 

Package Name 

5 MacCPCZ 

III GPGMail < 

i3 CPCKeychainAccess 
|3 CPGServkes 

6 GPGPreferences 
^. Enigmail ^ 

Space Required: 36,4 MB 


24,1 MB 


12, J MB 


S,l MB 


7 MB 


203 KB 


1,4 MB 

Remdining: 42,93 GB 

( Go Back ) ( Install ) 

As said in the intro; we advice against using Apple Mail in combination with 
PGP. Therefore you won't be needing 'GPCMail', as this enables PGP on Apple 
Mail, and you can uncheck it. 

'Enigmail' on the other hand is very important as it is the component that will 
enable Thunderbird to use PGP. In the screen shot here it is greyed out as the 
installer wasn't able to identify my installation of Thunderbird. Since this 
seems to be a bug. You can also install Enigmail from within Thunderbird as is 
explained in another chapter. 

If the option is not greyed out in your installation, you should tick it. 

Afteryou checked all the components you want to install click 'Install' to 
proceed. The installer will ask you for your password and after you enter that 
the installation will run and complete; Hooray! 



V Install CPCTnols 

The installation was completed successfully, 

O Introduction 
Destination Select 
6 Installation Type 
tJ Installation 
6 Summary 


The installation was successful. 

Ttie software was installed. 

( Co Back ) i Close ) 

Installing up Engimail 

Step 1. OpenThunderbird, then Select Tools > Add-ons to activate the Add-ons 
window; the/4c/rf-ons window will appear with the default Get Add-ons pane 

In the Add-On window, you can search for 'Enigmail' and install the extension 
by clicking 'Add to Thunderbird ...' 

2. After you open the Add-On window, you can search for 'Enigmail' and install 
the extension by clicking 'Add to Thunderbird ...' 



Get Add-ons 





a 3 



^ £^.^ 

■".-. — 







Browse All Add-ofis 


enPGP message encryption and autherti cation 
for Thuriderbird and StaMonkey. 

Leopard Majl-Defau It-Aqua j_i"j_i WWj-* 

This cheme is the skin wfiich can change yo ur Tin u nde rblrd like LeopardMail. 


iLeopard Mail 

it is a Theme of the Mac Leopard-style which did ILeopand in a model. 

€J® Display Mail User Agent 

V«l!^ Displays icon for 4JS€r agent oi received mails. 


Leopard Mail-DefEult-Graphite 'A"A"A"A'^ 

This tiieme is the skin wfiich can change your Tfiunderbird like LeopardMail. 

See all results (8) 

( Clear Results ) 

( Install...} 

3. Click on 'Install Now' to download and install the extension. 


Be aware that you will have to restart Thunderbird to use the functionality 
of this extension! 

Now that you have successfully downloaded and Installed Enlgmail and PGP 
you can go on to the Chapter that deals with setting up the software for use. 


Installing PGP on Ubuntu 

We will use the Ubuntu Software Centre for installing PGP (Enigmail and 
accessories). First open the Ubuntu Software Center through Applications -> 
Ubuntu Software Center: 

File Edit View Heip 
IMI Installed Software 


< > Get Software 

Ubuntu Software Center 

atured Applications > 



32731 items available 

li /te S3 

office Science i 


Type into the search field 'Enigmail' and search results should be returned 

< > 

Get Si 

oftware ^ 

Search Resi^itts 

\^ enigmait| 

^ Enigmail extension for Ununderbird 
*^ CPC support for Thimderbird 

More Info 

Frencin langu^e paclt^e for Enigmail (transitional package) 
enigm ail-local e-fr 

Finnish language package for Enigmail (transitional package) 
enigm ail-local e-fi 

Norwegian Bokmal language package for Enigmail (transitional package) 
enigm ail-local e-nb 

Swedish language package for Enigmail (transitional package) 
enigm ail-local e-5v 


Highlight the Enigmail item (it should be highlighted by default) and click 
'Install' and you will be asked to authenticate the installation process. 


Authentication is required to 
install software paclcages 

An application is attempting to perform an action that 
requires priviieges. Authentication is required to perform this 


+ Details 



Enter your password and clicl< 'Authenticate'. The installation process will 

File Edit View Help 

IMj Installed Software 
^ In Progress [1) 


French langu^e pack^e for Enigmail (transitional package) 

Finnish langu^e pack^e for Enigmail [transitional package) 

Norwegian Bokmal langu^e pack^e for Enigmail [transitional pack^e] 

Swedish language package for Enigmail (transitional package] 
Slovenian langu^e package for Enigmail (transitional package) 
Czech language package for Enigmail (transitional package) 

Polish language package for Enigmail (transitional package) 


PortL^uese [BR] language pack^e for Enigmail [transitional pack^e] 

Hungarian language package for Enigmail [transitional package) 

20 matching Items 


When the process is completed you get very little feedback from Ubuntu. The 
progress bar at the top left disappears. The 'In Progress' text on the right also 
disappears. Enigmail should now be installed. 


Creating your PGP keys 

You are now ready to start encryption your mails with PGP. You can do this by 
using Enigmail within Thunderbird. Enigmail comes with a nice wizard to help 
you with the initial setup and the important aspect of creating a 
public/private key pair (see the chapter introducing PC P for an explanation). 
You can start the wizard at any time within Thunderbird by selecting 
OpenPGP > Setup Wizard from the menu on top. 

Step 1. This is what the wizard looks like. Please read the text on every 
window carefully. It provides useful information and helps you setup PGP to 
your personal preferences. In the first screen, click on Next to start the 

OpenPGP Setup Wizard 

Welcome to the OpenPGP Setup Wizard 

This wizard helps you to start using OpenPGP right away. Over the next few 
screens we'll ask you some questions to get everything setup. 

To keep everything simple, we make some assumptions about 
configuration. These assumptions try to provide a high level of security for 
the average user without creating confusion. Of course, you can change all 
of these settings after you finish the wizard. You can find out more about 
the OpenPGP features in the Help menu or on the Enigmail website. 

If you have any trouble using this wizard, please let us know by emailing us. 

This wizard is automatically invoked when you first install Enigmail. You can 
also launch it manually from the OpenPGP menu. 

Thank you for choosing Enigmail OpenPGP! 

Would you like to use the wizard now? 

l [Yes, I would like the wizard to get me started 

O No, thanks. I prefer to configure things manually 



Step 2. The wizard asks you whetheryou want to sign all your outgoing mail 
messages. If you do not chose to sign all your messages, you will have to 
specify per recipient if you want to sign your e-mail. Signing all your messages 
is a good choice. Click on the 'Next' button afteryou have made a decision. 


O^&i OpenPCP Setup Wizard 


Digitally Sign Your Outgoing Emails 

OpenPGP allows you to digitally sign your emails. This is like the electronic 
version of signing a letter, and it allows people to be sure that an email is 
really From you. It's good security practice to sign all outgoing email. 

To verify your signed email, people need an OpenPGP-aware mail program. 
If they don't have an OpenPCP-aware mail program they will be able to 
read your email, but the signature will be displayed as an attachment or as 
text around the email message. This might annoy some people. You need to 
chooseif you wantto sign all outgoing email, or if you want to avoid 
sending signed email to some people. 

Do you want to sign all your outgoing email by default? 

> [Ye5, 1 wantto signallof my email ) 

O No, I want to create per-rccipient rules for emails that need to be signed 


<£ Back 

Step 3. On the following screen, the wizard asks you whether you want to 
encrypt a// your outgoing mail messages. Unlike signing of mails, encryption 
requires the recipient to have PGP software Installed. Therefore you should 
answer 'no' to this question, to make sure you can still send normal mails. 
Only answer 'yes' here if you want to prevent Thunderbird from ever sending 
unencrypted malls. Afteryou have made your decision, click on the 'Next' 


^A® OpenPCP Setup Wizard 


OpenPCP allows you to encryptyoLr email messages and any attachments. 
Entryption is like putting a letter in an envelope. It makes things private. 
It's notjiist for "secret" messages, but for everything thatyou would not 
send on a postcard. 

On a technical level, encryption works like a padlock that only the recipient 
has the key for. Unlike signing, to use encryption all the recipients of an 
email need to use OpenPCP. People need to give you their public key 
before you can send them encrypted email (the public key is the pad lock 
we were talking about). 

Unless most of your communication partners have public keys, you should 
not enable encryption by default. 

Shall your outgoing email be encrypted by default? 
O Yes, I have public keys for most of my contacts 

No, I will create per-recipient rules for those that sent me their public 


<£ Back 

Step 4: On the following screen the wizard asl<s if he can change some of your 
mail formatting settings to better work with PC P. It is a good choice to 
answer 'Yes' here. The only serious thing is that it will prevent you from doing 
is sending HTML mail messages. Click on the 'Next' button afteryou have 
made your decision. 


QOIe^ OpenPCP Setup Wizard 


change YoLr Email Settings To Make OperPGP Work More Reliably 

This wizard can change your email settings to make sure there are no 
problems with signing and encrypting email on your machine. These setting 
changes aremostly technical stuff yoL will not notice, though one 
important thing is that email will be composed in plain text by default. 

Do you want to change a few default settings to make OpenPGP work 
better onyour machine? 


Details ... 

O No, thanks 


<£ Back 


Step 5: Now it is time to start creating the keys. In the following screen you 
can select one of your mail accounts, or the default one is selected foryou if 
you have only one mall account. In the 'Passphrase' text box you have to give 
a password. This is a new password which is used to protect your private key. 
It is very important both to remember this password, because you cannot 
read your own encrypted emails any more when you lose it, and to make it a 
strong password. It should be at least 8 characters long, not contain any 
dictionary words and it should preferably be a unique password. Using the 
same password for multiple purposes severely increases the chance of it 
being intercepted at some point. After you have selected your account and 
created a passphrase, click on the 'Next' button. 


QAAI OpenPCP Setup Wizard 

Create Key 

Create A Key To Sign And Encrypt Email 

YoL need to liave a 'key pair' to sign and encrypt email, or to read emails 
that are encrypted. A key pair has two keys, one public and one private. 

Youneed to give yoLr public key to everyone in your contact list who will 
want to verify yoLr signature, or to encrypt email to you. ivieanwtiile, you 
need to keep your private key secret. You must not give it away, or leave it 
unprotected. It can read all the email people encrypt and send to you. It can 
also encrypt email in your name. Because it's secret, it's protected by a 

Account /User ID: 

Johnny Cash <maildemo(> 


Please confirm your passphrase by typing it again 


<£ Back 


Step 6: In the following screen the wizard basically wraps up what actions it 
will take to enable PGP encryption for your account. If you are satisfied with 
the options you chose in the previous windows, click on the 'Next' button. 


QAlik OpenPCP Setup Wizard 


Confirm that the wizard shall now commit these changes 

YoL are almost complete! IFyou click on the 'Next' button, the wizard will 
perform the following actions: 

- Create a new 2048-bit OpenPGP key, valid for S years 
-Activate OpenPGP for your email account 

- Sign all emails by default 

- Do not encrypt emails by default 

-Adjust all recommended application settings 


<£ Back 

Step 7: Your keys are being created by the wizard. Have some patience. The 
progress bar should slowly fill up to the right. The wizard will tell you when 
the keys have been successfully created, then you can click on the 'Next' 
button again. 


OA® OpenPCP Setup Wizard 

Key Creation 

YoLF key is row being generated 

Key Generation Console 
NOTE; Key generation may take up to several minutes to complete. 
Do not exit the application while key generation is in progress. Actively 
browsing or performing disk-intensive operations during key generation 
will replenish the 'randomness pool' and speed-up the process. You will 
be alerted when key generation is completed. 




<£ Back 


Step 8: You now have your own PGP key-pair. The wizard will ask you if you 
also want to create a special file, called a 'Revocation certificate'. This file 
allows you to inform others that your key-pair should no longer be considered 
valid. Think of it as a 'kill switch' foryour PGP identity. You can use this 
certificate in case you have generated a new set of keys, or in case your old 
key-pair has been compromised. It is a good idea to create the file and keep it 
somewhere in a safe place. Click on the 'Generate Certificate' button if you 
want to create the file, otherwise 'Skip'. 

OpenPGP ConPfrm 


Key generation completed! Identitv <> will be used For signing. 

We highly recommend to create a revocation certificate foryour key. This certificate can be Lsed 
to invalidate your key, e.g. in caseyour secret key gets lost or compromised. Do you want to 
create such a revocation certificate now? 

Qskip I is£fiaiecate Certifjtgfcs | 

Step 9: Assuming you have decided to generate a revocation certificate, the 
wizard will askyou where the file should be saved. The dialog may appear a 
bit different on your particular operating system. It is a good idea to rename 
the file to something sensible like my_revocation_certificate. Click on 'Save' 
when you you have decided on a location. 


Create & Save Revocation CertiFkate 

Name: (0xSB8S5D26) rev.asc 

Save in Folder: 

Bdentoir ;; 

►• Browse For ottier I'olders 

Cancel Save ^ 

Step 10: Assuming you have decided to generate a revocation certificate, the 
wizard informs you it has been successfully stored. 

OpenPCP Alert 

The revocation certificate has been successfully created. You can use it to invalidate your public 
key, e.g. in caseyou would loseyour secret key. 

Please transfer It to a medium which can be stored away safely such as a CD or Floppy Disk. If 
somebody gains access to this certificate they can use it to render your key unusable. 


Step 11: The wizard will inform you it has completed its setup. 


OAIe^ OpenPCP Setup Wizard 

Thank you 

OpenPGP is now ready to use. 
Thank you for using Enigmail. 

1 ©cancel ' 

f i Back 

Finish 1 

Congratulations, you now have a fully PGP-configured mail client. In the next 
chapter we will explain how to manage your keys, sign messages and do 
encryption. Thunderbird can help you do a lot of these things automatically. 


Daily PGP usage 

In the previous chapters we have have explained how to set up a secure mail 
environment using Thunderbird, PGP and Enigmail. We assume you have 
installed the software and have successfully followed the wizard instructions 
to generate an encryption key-pair as described in the previous chapter. This 
chapter will describe how to use your secured Thunderbird in daily life to 
protect your e-mail communication. In particular we will focus on: 

1. Encrypting attachments 

2. Entering your pass-phrase 

3. Receiving encrypted e-mail 

4. Sending and receiving public keys 

5. Receiving public keys and adding them to your key ring 

6. Using public key servers 

7. Signing e-mails to an individual 

8. Sending encrypted e-mails to an individual 

9. Automating encryption to certain recipients 

10. Verifying incoming e-mails 

11. Revoking your PGP key pair 

12. What to do when you have lost your secret key, or forgot your 

13. What to do when your secret key has been stolen, or compromised 

14. Backing up your keys 

First we shall explain two dialog windows that will inevitably appear after you 
start using Thunderbird to encrypt your emails. 

Encrypting attachments 

The dialog window below will pop-up whenever you are sending an encrypted 
email with attachments for the first time. Thunderbird asks a technical 
question on how to encrypt attachments to your mail. The second (default) 
option is the best choice, because it combines security with the highest 
compatibility. You should also select the 'Use the selected method for all 
future attachments' option. Then click 'OK' and your mail should be sent with 
no further delay. 


Open PGP Prompt 


Thi^ message contains attachments, How would you like encrypt/sign them? 

Jkist encrypt/sign the message tejrt, but not the attachments 

(^ Encrypt/sign each attachment separately and send the message using inline PGP 

O Encrypt'sign the message as a whole and send it using PGP/MIME 

NOTE; PGP/MIME is only supported by a limited number of mail clientsl On Windows only 
Moiilla/Thunderbird, Sylpheed, Pegasus and Mulberry are known to support this standard; on 
Linu^t'UNIXand Mac OSX most popular mail clients support it, If you are unsure select the 
second option, 

FT] Use the selected method for all future attachments 



Enteringyour pass-phrase 

For security reasons, the pass-phrase to your secret key is stored temporarily 
in memory. Every now and then the dialog window below will pop-up. 
Thunderbird asks you for the pass-phrase to your secret key. This should be 
different from your normal email password. It was the pass-phrase you have 
entered when creating your key-pair in the previous chapter. Enter the pass- 
phrase in the text-box and click on 'OK' 

Open PGP Prompt 


j^^l Please type in your OpenPGP passphrase oryour SmartCard PIN 

1 1 1 

IE Rememb 

erforS idle min 




Receiving encrypted e-mails 

The decryption of e-mails is handled automatically by Enigmail, the only 
action that may be needed on your behalf is to enter the pass-phrase to your 
secret key. However, in order to have any kind of encrypted correspondence 
with somebody, you will first need to exchange public keys. 


Sending and receiving public keys 

There are multiple ways to distribute your public key to friends or colleagues. 
By far the simplest way is to attach the key to a mail. In order for your friend 
to be able to trust that the message actually came from you, you should 
inform them in person (if possible) and also require them to reply to your 
mail. This should at least prevent easy forgeries. You have to decide for 
yourself what level of validation is necessary. This is also true when receiving 
emails from third-parties containing public keys. Contact your correspondent 
through some means of communication other than e-mail. You can use a 
telephone, text messages. Voice over Internet Protocol (VoIP) or any other 
method, but you must be absolutely certain that you are really talking to the 
right person. As a result, telephone conversations and face-to-face meetings 
work best, if they are convenient and if they can be arranged safely. 

Sending your public key is easy. 

1. In Thunderbird, click on the 




2. Compose a mail to your friend or colleague and tell them you are sending 
them your PGP public key. If your friend does not know what that means, you 
may have to explain them and point them to this documentation. 

3. Before actually sending the mail, click to OpenPGP > Attach My Public Key 
option on the menu bar of the mail compose window. Next to this option a 

marked sign ^ will appear. See the example below. 


f^^ WrlfP:^FnriinfjyfiijmvpijhlirtPV . ^ ■ [ ^ M^] p^Sj 

File Edit View O^tioni 

OpenPGP 1 Taah Help 

■/ Sign Message CtrkShift+5 
Encrypt Message Ctrl+Shjft+E 
Uie PGP/MIMEfor This Message 
Undo Encryption 


Ftom: ^ohs^ny Cash -^ mail 


To:|ii fri 

[- 1 

■/ Attach My Public Key 


Subject Sending you my public key 

Hi there, 

A5 ue discussed, i hereby am sending you my PGP public key. Please 
confirm that you havs received this message. 



1.^- ^1 ^^ .: 

4. Send your mail by clicking on the 



Receiving public keys and adding them to your keyring 

Lets say we receive a public key from a friend by mall. The key will show up In 
Thunderbird as an attached file. Scroll down the message and below you will 
find tabs with one or two file names. The extension of this public key file will 
be .asc, different from the extension of an attached PC P signature, which 
ends with .asc.slg 

Look at the example email In the next Image, which Is a received, signed PGP 
message containing an attached public key. We notice a yellow bar with a 
warning message: 'OpenPGP: Unverified signature, click on 'Details' button 
for more Information'. Thunderbird warns us that the sender Is not known 
yet, which Is correct. This will change once we have accepted the public key. 

What are all those strange characters doing In the mail message? Because 
Thunderbird does not yet recognize the signature as valid. It prints out the 
entire raw signature, just as It has received It. This Is how digitally signed PGP 
messages will appear to those recipients who do not have your public key. 


The most important thing in this example is to find the attached PGP public 
key. We mentioned it is a file that ends with .asc. In this example it's the first 
attachment on the left, in the red circle. Double-clicking on this attachment 
will make Thunderbird recognize the key. 

^ kal^l 

Q Inbox - K/tozillid Thurkd-eibird • ^^^^^^^^^^^^^^^^^M 

Rie Edil View So Menage OpenPSP Toab Help 
^ Get Mail - I^Wrrte J] Addiess Boot --Tag- Qj^ Deziypi 

-i In box 
g Drafts 

■I Lou1 Folders 

O OpenPGP Unverified signature; dick on 'Detdils' button form 

■^ Quick Filter 

' Johnny Cash 

It Datp 

I ^ reply ' I b^ forward I 

from You 
ubjeft PGP mail t 

Ir this example I have sent myself 5 new key! Look at the attachment at 
the lower end o-F this window. It is the left one you will want. 
Oouble-click on it! 


Version: GruPG ul.4.11 (>lirgW32> 

Commert: Using GnuPG witln Hozilla - http : //erigmail . mozdev . org/ 



After we have clicked on the attachment, the following pop-up will appear. 

OpenPGP Confirm 

m/\ The attachment '0x426820AF.asc' you are opening appears to be an OpenPGP key file. 

Click 'Import' to import the keys contained or 'View' to view the file contents in a browser window 
I Import I View 

Thunderbird has recognized the PGP public key file. Click on 'Import' to add 
this key to your keyring. The following pop-up should appear. Thunderbird 
says the operation was successful. Click on 'OK' and you are almost done. 

OpenPGP Alert 

The ke/fs] were successfully imported 

gpg: key426820AF: "Johnny Cash <maildemo©>" not changed 
gpg; Total number processed; 1 
gpg; unchanged; 1 



We are back in the main Thunderbird screen and we refresh the view on this 
particular example message, by clicking on some other message and back for 
example. Now the body of the message looks different (see below). This time 
Thunderbird does recognize the signature, because we have added the public 
key of the sender. 

^ Inbox -MozillaTTiundeitird ^BJ^H^^^^^^ 

^ l-=l^l»i3j' 

File Edit View Go Message 

(^GelMail - |=^Wrrte J| Addics Bool: '"<; Tag- [^ Dcciypi 

Search all mess3gei..^Ctrl4-K> 




All Foldtr^ 4 k 

■^ Quick Filter: • 8 <i » 

Filter these messages. 

^CM^F:^ fl 1 


]5 Drafts 



> 11 Locd FoUers 

t \i ® Subject 


« Date '\m 

® PGP mail teff 

■ UvwyCa^ 

• 17:14 1 

(3 „ ppp UMTRUSTEDGoodsigrMturefiomJohnnyCash •; 
^^" Key ID: Oh425S20AF / Signed ore 29-4-2011 17:14 

from You-- 
subject F^PmaiUest 



1 LS^ rep^ - 1 *^ foiwaid 

lilj aichive ^ junk X dekete 
^ 17:14 

other adFons- 

Ir this example I have sent m/self a new 
the lower end of this window. It is the 1 
DoLble-click or it! 

keyl Look at the attachment at 

sft one you will want. 


□ 0rf26a2DAF.a5c |_| Dx426a20AF.asc.iig 11 


Unread ToEat 1 .i? \\ 

There is still one thing that remains. While Thunderbird now recognizes the 
signature, we should explicitly trust that the public key really belongs to the 
sender in real life. We realize this when we take a closer look at the green bar 
(see below). While the signature is good, it is still UNTRUSTED. 

g^ p^p UNTRUSTED Good signatjrefrom Johnny Caih <maildemQ©greenho^tnl> ne^ ■] 

^" Ke^ID;0x426S20AF/Signedon:29-4-201117:14 Details- 

We will now decide to trust this particular public key and the signatures 
made by it. We can do this immediately by clicking on 'Details'. A small menu 
will appear (see below). From this menu we should click on the option 'Sign 
Sender's Key ...'. 


from VauO 
to Vouli 

gratu re from Johnny Ca; 
Signed on; 29-4-2011 17; 








Sign Sender's Key... 




In thi5 example I hav 
the lower end of this 
Double-tlick on it! 

5ent my5elf a ne 

w key! 



ne yo 

t the attachift 
Mill want. 

nt at 

□ M25a20AF,asc 

LJ 0:i426a20AF,^sc,fig 

After we have selected 'Sign Sender's Key ...' we will get another selection 
window (see below). We are requested to state how carefully we have 
checked this key for validity. The explanation of levels of trust and trust 
networks in PGP falls outside the scope of this document. We will not use this 
information, therefore we will just select the option '1 will not answer'. Also 
select the option 'Local signature (cannot be exported)'. Click on the 'OK' 
button to finishing signing this key. This finishes accepting the public key. You 
can now send encrypted mail to this individual. 

OpenPGP - Sign Key l^^^ 

Key to be signed; Johnny Cash <maildemo©> - Om426S20AF 
Fi n g erpri nt; 6DE6 7498 0697 00 BF 3 ED2 90 CD 8 DAD 7 C57 4268 20AF 

Key for signing; Emile <> - 0xD3181112 t 

Howcarefully have you verified that the key you are about to sign actually belong&to the per&on(&] named above? 

® i ] will not answer 

■ © 1 have not checked at all 
© I have done casual checking 
© I have done very careful checking 

[7] Local signature (cannot be exported] 

[ OK I 1 Cancel 


Using public key servers 

Another method of distributing public keys is by putting them on a public key 
server. This allows anyone to check whetheryour email address has PGP 
support, and then download your public key. 

To put your own key on a keyserver, take the following steps. 

1. Head to the key manager by using the Thunderbird menu and click on 
OpenPGP > Key Management 


JQ"! indil[lemo@>greenlHHLnl 



J ^ ^mileS>gre^nliast n I 

(4j Inbox (675) 

13 drafts 

■ s.~. 

2. The key management window will be displayed and looks like this: 

l ^fa^ " 

) OpenPGP Key M^n^gement 

File Edit View Keyserver Generate 
Search for 

[7] Display All Keys by Default 


3. You need to have selected the 'Display All Keys by Default' option to get a 
list of all your keys. Lookup your own email address in the list and right click 
on the address. A selection window will appear with some options. Select the 
option 'Upload Public Keys to Keyserver'. 


OpenPGP Key fvlanagemeni 



File Edit View Keyserver Generate 

Keys by Default 

Search for: 

1 Clear DisplayA 


Key ID B 

Copy Public Keys t& Clipboard 

Export Keys to File | 

Send Public Keys by Email 

Upload Public Keys to Keyserver 

Refresh Public Keys From Keyserver 

Sign Key 

Set Owner Trust 

Disable Key 

Revoke Key 

Delete Key 

Manage User IDs 

Change Passph rase 

Generate SLSave Revocation Certificate 



4. You will see a small dialog window like below. The default server to 
distribute your keys to Is good. Press 'OK" and distribute your public key to 
the world. 

Select Key5en/er 


Send public key 0j96DF66FD - Emile 
^emile©> to keyserver 

Keyserver rBB! 



To look up whether some email address has a public key available on a server, 
take the following steps. 

1. Head to the key manager by using the Thunderbird menu and click on 
OpenPGP > Key Management 

2. In the key manager window menu bar, select Keyserver > Search for Keys 


C^ OpenPGP Key Managemeni 

I ^ 1^^ ^ 

File Edit View 
Search for 


> Emtle<'eniilel 

Keyserver] Generate 

Refresh Selected Public Keys 
Seaich for Keys 

Upload Public Keys 
Refresh All Public Keys 

[7] Display All Keys by Default 

Key ID .g| 


3. In this example we will look-up up the key for the creator of PGP software, 
Philip Zimmermann. After we have entered the email address, we click on 

Select Keyserver 


Seaich for key 


pool, ■» 



4, The next window displays the result of our search. We have found the 
public key. It is automatically selected. Just click on 'OK' to import the key. 


DoivnloadOpcnPSPKeys 9 


Found Keys- Select to Import 

Account/ User ID 


5. Importing the key will take some time. On completion you should see a 
pop-up window like below. 

Open PGP Alert 



requesting key B2D7795Efrom hkp server 
key BZD77g5E: public key "Philip R. Zimmerrnann <prz©>" imported 
3 marginalft] needed, 1 completers] needed, PGP trust model 
depth; valid; 1 signed; trust; 0-, Oq, On, Om, Of, lu 
neit trurtdb check due at 20ie-Q4-2g 
Total number processed; 1 
imported; 1 

6. The final step is to locally sign this key, to indicate that we trust it. When 
you are back in the key manager, make sure you have selected the 'Display All 
Keys by Default' option. You should now see the newly imported key in the 
list. Right-click on the address and select the option 'Sign Key' from the list. 


C5? OpenPGP Key Management^ 


Frle Edrt View Keyserver Geiveraie 
Search fos: 

[7] Display All Keys by Default 


[> Emile <cni ile@>gr€cnhasLiil> 


Key ID S 


Copy Public Keys to Clipboard 
Export Keys to File 
Send Public Keys by Email 
Upload Public Keys to Keyserver 
Refresh Public Keys From Keyserver 

Sign Key 

Set Owner Trust 

Disable Key 

Revoke Key 

Mete Key 

Manage User IDs 

Change Passphrase 

Generate 6i Save Revocation Certificate 

7. Select the options 'I will not answer' and 'Local signature (cannot be 
exported)', then click on 'OK'. You are now finished and can send Philip 
Zimmermann encrypted mail. 


OpenPGP - Sign Key 

Key to be signed; Philip R. Zimmermann <> -OxB2D7795E 
Fingerprint; 055F C78F 1121 9349 2C4F 37AF C74& 3639 B2D7 795E 

Key for signing; Emile <emile©greenho&> -0::96DF66FD 

How carefully have you verified that the key you are about to sign actually belong&to the per5on(s] named above? 
&f) I will not answer 

© ] have not checked at alt 

^ I have done casual checking 

i£) Ihavedonevery careful checking 

W\ Local signature [cannot be eHportei^ 

Signing emails to an individual 

Digitally signing email messages is a way to prove to recipients that you are 
the actual sender of a mail message. Those recipients who have received your 
public key will be able to verify that your message is authentic. 

1. Offer your friend your public key, using the method described earlier in this 


2. In Thunderbird, click on the 

Write 1 

3. Before actually sending the mall, enable the OpenPGP > Sign Message 
option via the menu bar of the mail compose window, if It is not enable 
already. Once you have enabled this option, by clicking on it, a marked sign 

"^ will appear. Clicking again should disable encryption again. See the 
example below. 

: Write; Whaf ; up? 
File Edit View Ofitio 

jBjSend \'^^i\l ■ (^ ^ SignMei 

Encrypt Me! 

; [OpenPGP] Jook Help 



Use PGP/MIMEfor This Mes 
Undo Ercryptior 
Attach My Public Key 



Subject What's up? 

I have signed this message with PGP to proof that it is really me. 


click on the 

[Send I 

button and your signed mail will be sent. 

Sending encrypted mails to an individual 

1. You should have received the public key from the friend or colleague you 
want to email and you should have accepted their public key, using the 
method describe earlier in this chapter. 

2. In Thunderbird, click on the 




3. Compose a mail to the friend or colleague, from who you have previously 
received their public key. Remember the subject line of the message will not 
be encrypted, only the message body itself, and any attachments. 

4. Before actually sending the mail, enable the OpenPGP > Encrypt Message 
option via the menu bar of the mail compose window, if it is not enabled 
already. Once you have enabled this option, by clicking on it, a marked sign 

I ^ will appear. Clicking again should disable encryption again. See the 
example below. 

^ImB^ ' 

I; ■contains private- content 

File Edit View Options [QpenPGP ] Jooli Help 

F[om; Johnny Cash ■< 

■/ Sign Message Ctrl+5hift+^ 

•/ Encrypt Message Ctrl+Shift+E 

Use PGP/MIMEfor This Message 

Undo Encryption 

Attach My Public Key 


- Hsav= - 

Subject ESE rnail; contains private content 

Hello liohnny. 

glad to finally have private correspondence with you. 
This mail will be encrypted with PGP- 


Click on the 


button and your encrypted mail will be sent. 

Automating encryption to certain recipients 

You will often want to make sure all your messages to a certain colleague or 
friend are signed and encrypted. This is good practice, because you may 
forget to enable the encryption manually. You can do this by editing the per- 
recipient rules. To do this we access the OpenPGP per-recipient rule editor. 

Select OpenPGP > Preferences from the Thunderbird menu bar. 

I InboK - - Mozilla Thunderbird 

File Edit View Go 
A, Get Mail ' I i/ Write I 

{^\ Infafxx - fliiaBileinD@gree«ihi 

All Folders 

4 I 

J ^ malldem o@ g reer 


fj!? Trash 
' ^ em ile@g 
^ Inbox (8753 

|j Drafts 

OpenPGPj lools Help 

Save Decrypted Message 


Ke^ Management 


Setup Wizard 

About OpenPGP 

:ifcate - Inbox - 




The preferences window will appear like below. We need to click on 'Display 
Expert Settings'. 

Open PGP Preferences 



Basic Settings 

Files and Directories 

GnuPG was found in C:\Program FilesVGNUVGnuPGVgpg.este 

Oi Override with: I 

Passphrase settings 

Remember passphrase for i@ minutes of idletime 

I [n] Wever ask for any passphrase 


Display Expert Settirtgs 




New menu tabs will appear in the window. Co to the tab 'Key Selection' and 
then click on the button labeled 'Edit Rules ...' 


Open PGP Preferences 

Basic I Sending Key Selection Advanced | Keyserver] Debugging] 

How should we choose the keys? 

© By pre-set rules only 

1^ By rules and email addresses 

i'^ ■ By email addresses 

(^; Manually 

© No manual key selection 

Edit Rukss! 



We are now shown the per-recipient rules editor (see below). This editor can 
be used to specify the way how messages to certain recipients are sent. We 
will now add a rule saying we want to encrypt and sign all mall messages to 

First click on the 'Add' button. 


OpenPGP - Per-Recipient Rules Editor 

ViEW rules with email addresses containing; | 
Email OpenPGP Key(5] 


Encrypt PGP/MIME B 


Move Lip 

Move Down 


Now the window to add a new rule will be shown. 

The first thing we should enter Is the email address of the recipient. In the 
example below we have entered 


OpenPGP - Recipient Settings 

Set OpenPGP Rules for 

fSeparate several email 
addresses with spaces) 

Apply rule if recipient Is exactly ^ one of the above addresses 


© Continue with neKt ruleforthe matching address 
Q Do not check further rules for the matching address 
1^1 Use the following OpenPGP keys; 

[none - no encryption) 


Yes, if selected in Message Composition 



Yes, if selected in Message Composition 



Yes, if selected in Message Composition 


[Note; in case of conflicts, 'Never' overrules 'Always') 


Select Key[s}... 



Now we will set the encryption defaults by using the drop-downs below. For 
Signing select 'Always'. For Encryption also select 'Always'. 


Open PGP - Recipient Settings 

Set OpenPGP Rules for 

[Separate severer email 
addresses with spaces) 

Apply rule if recipient Is exactly ^ one of the above addresses 


Q Continue with neri: ruleforthe matching address 
Q Do not check further rules for the matching address 
Igi LPsethefoliowing OpenPGP keys; 

fnone - no encryption) 

Select Keyts].., 

Defauftifor . 


Aiways ▼ 


iAjways ; t 


Ves, if selected in Message Composition -r 

(Note; in cas 

e of conflicts, 'Never' overrules 'Always') 




Finally we have to select the public key of the recipient, with which to encrypt 
our messages. Do not forget this important step, otherwise the e-mail will not 
be encrypted. Click on the button labeled 'Select Key(s)...'. The key selection 
window will show up. The most obvious key will be selected by default. In the 
example below, we only have one public key available. We can select keys by 
clicking on the small box next to the address. Then we click 'OK' and close all 
relevant windows and we are finished. 


OpEnPGP Key Selection 


Select OpenPGP Key(s) to use for 

Account/ User ID 

i l -HiiH II -HiiH-il-U-l-li 


Key ID 

Refresh Key List Download missing keys 

Verifying incoming e-mails 

Decrypting email messages sent to you will be fully automatic and 
transparent. But It is obviously important to see whether or not a message to 
you has in fact been encrypted or signed. This information is available by 
looking at the special bar above the message body. 

A valid signature will be recognized by a green bar above the mail message 
like the example image below. 

Pi ^ ^^^ Good siqnaturefrom Johnny Cash <> „ .. i 

I ^ Key ID: 0>i4Z6aZDAF/ Signed on: 29-4-2311 17:14 

The last example message was signed but not encrypted. If the message had 
been encrypted, it would show like this: 

S n prp decrypted message; Good signaturefrom Emile^> p. . 

'"" KeyID;0i631Dai9/Signedon;30-4-2(11116;01 '"' 

When a message which has been encrypted, but not signed, it could have 
been a forgery by someone. The status bar will become gray like in the image 
below and tells you that while the message was sent securely (encrypted), the 
sender could have been someone else than the person behind the email 
address you will see in the 'From' header. The signature is neccessaty to verify 
the real sender of the message. Ofcourse it is perfectly possible that you have 
published your public key on the Internet and you allow people to send you 
emails anonymously. But Is It also possible that someone is trying to 
impersonate one of your friends. 


J QpenPGP Decrypted message 

Similarly if you receive a signed emaW from somebody you know, and you have 
this persons public key, but still the status bar becomes yellow and displays a 
warning message, it Is likely that someone is attempting to send you forged 

QpenPGP Uiwerified signature; dick on 'Details' button for more information 

Sometimes secret keys get stolen or lost. The owner of the key will inform his 
friends and send them a so-called revocation certificate (more explanation of 
this in the next paragraph). Revocation means that we no longer trust the old 
key. The thief may afterwards still try his luck and send you a falsely signed 
mail message. The status bar will now look like this: 

H ^ p(-p REVOKEDKEVGood signaturefrctm Emile^emile@greenho,st.r.l> 
upenKur Ke^iD;0»D31S1112/Signed on:30-4-2[)ll 16:29 

Strangely enough Thunderbird in this situation will still display a green status 
bar! It is important to look at the contents of the status bar in order to 
understand the encryption aspects of a message. PGP allows for strong 
security and privacy, but only if you are familiar with its use and concepts. 
Pay attention to warnings in the status bar. 

Revoking your PGP key-pair 

Your secret key has been stolen by somebody. Your harddisk crashed and you 
have lost all your data. If your key is lost, you can no longer decrypt 
messages. If your key has been stolen, somebody else can decrypt your 
communication. You need to make a new set of keys. The process of creating 
keys, using the OpenPGP wizard in Thunderbird, has been described in this 
manual. But first you want to tell the world that your old public key is now 
worthless, or even dangerous to use. 

What to do when you have lost your secret key, or forgot 
your passphrase 

During the creation of your key-pair, the OpenPGP wizard offered you the 
possibility to create a so-called revocation certificate. This is a special file you 
send to others in the advent you have to disable your key. If you have a copy 
of this file, sending the revocation key is simply sending the file as an 
attachment to all your friends. You can no longer send signed mails 
(obviously, because you have lost your secret key). That doesn't matter. Send 
it as a normal mail. The revocation certificate file could only have been 
created by the owner of the secret key and proofs he or she wants to revoke 
it. That's why it should normally be kept hidden from others. 


If you do not have the revocation certificate, there exists no other option 
than foryou to contact your friends personally and convince them your key is 
lost and that they should no longer trust it. 

What to do when your secret key has been stolen, or 

If you have reason to believe your secret key has been compromised, or 
worse your secret key and passphrase, it is very important to contact others 
that they should stop sending you encrypted messages. With your secret key, 
other persons will be able to break the encryption of your e-mail messages if 
they also have your passphrase. This is also true for those messages you have 
send in the past. Cracking the passphrase is not trivial, but it may be possible 
if the party has lots of resources, like a state or a big organization for example, 
or if your passphrase is too weak. In any case you should assume the worst 
and assume your passphrase may have been compromised. Send a revocation 
certificate file to all your friends or contact them personally and inform them 
of the situation. 

Even after you have revoked your old key pair, the stolen key may still be used 
to decrypt your previous correspondence. You should consider other ways to 
protect that old correspondence, for instance by re-encrypting it with a new 
key. The latter operation will not be discussed in this manual. The chapter on 
'Securing personal data' may be of some help. If you are uncertain you should 
seek assistance from experts or lookup more information on the web. 

Receiving a revocation certificate 

If one of your friends sends you a revocation certificate, he asks you to 
distrust his public key from now on. You should always accept such a request 
and 'import' the certificate to disable his key. The process of accepting a 
revocation certificate is exactly the same as accepting a public key, as has 
already been described in the chapter. Thunderbird will askyou if you want to 
import the 'OpenPGP key file'. Once you have done so, a confirmation pop-up 
should be displayed like below. 

OpenPGP Alert '^^^^^^^^^^H l^^^l 

The key[s] were successfully imported 


keyBFDlZ47E; "Emile <emile©>" revocati&n certificate imported 
Total number processed; 1 

new key revocations; 1 
3 marginal[s] needed, 1 completers] needed, PGP trust model 
depth: valid; 1 signed; □ trust; □-, Oq, On, Om, Of, lu 
nerttmstdb check due at 2016-04-28 


Preparing for the worst: backup your keys 

Your keys are usually stored on your harddisk as normal files. They may get 
lost If your computer gets damaged. It Is strongly advised to keep a backup of 
your keys In a safe place, like a vault. Making a a backup of your secret key 
has another security advantage as well. Wheneveryou fearyour laptop or 
computer Is In Immediate danger of being confiscated, you can safely delete 
your key-pair. Your email will be rendered unreadable Immediately. At a later 
stage, you can retrieve your keys from the vault and re-Import them In 

To make a backup of your key-pair, first head to the key manager by using the 
Thunderblrd menu and click on 
OpenPGP > Key Management. 

You need to have selected the 'Display All Keys by Default' option to get a list 
of all your keys. Lookup your own email address in the list and right click on 
the address. A selection window will appear with some options. Select the 
option 'Export Keys to File'. 

B \m£kd ' 

Cj OpenPGP Key iVt^nagem 

File Edit View Keyserver Generate 
Search for. 

W\ Display AHi Keys by Default 

Copy Public Keysto Clipboard 

Export Keys to File 

Send Public Keys by Email 

Upload Pubfic Keys to Keyseivei 

RefreEh Public Keys From Keyserver 

Sign Key 

Set Owner Trust 

Disable Key 

Revoke Key 

Delete Key 

Manage UseilDs 

Change Passphrase 

Generate & Save Revotation Certifitate 

Key ID S 

Now we will save the key-pair to a file. Thunderbird asks us if we want to 
include the secret key as well. We do want to include the secret key, therefore 
we select 'Export Secret Keys'. 

OpenPGP Alert 


Do you want io include the secret key in the saved OpenPGP key file? 

I Export Publiic Keys Only 

Esport Secret Keys 


Finally Thunderbird asks us for the location of the key file. You can store the 
file anywhere you like, network disk, USB-stick. Just remember to hide it 
away from other people. 

Further reading 

More documentation on using PGP with Thunderbird can be found on the 
website of the Enigmail plugin. The Enigmail handbook is the guide you will 
want to use. 


Webmail and PGP 

The current browsers on the market unfortunately do not come bundled with 
PGP support. When you are using PGP to send e-mail, your encrypted e-mail 
messages cannot automatically be decyphered by your browser. You will see 
garbled text instead of messages. Nevertheless there exists a Firefox plugin 
called FireGPG which does add PGP support to the browser. 

In this chapter we will describe how to use FireGPG to be able to combine the 
use of PGP with webmail. FireGPG has extra purposes as well. In fact, using 
FireGPG you can encrypt just about any plain text communication one the 
web (like forum post, blog messages etc.) with PGP. 

Caveats with using webmail 

In general it is best to use a mail program like Thunderbird in stead of using 
Webmail. Accessing your webmail from an untrusted environment like an 
Internet cafe is discouraged, because you cannot guarantee your password or 
traffic will not be intercepted. Using PGP in that situation may even make 
matters worse. Your secret key and passphrase, which you carry around on an 
USB-stick, may be read by a malicious program on the computer. In short, 
only use FireGPG to access your webmail in an environment you trust. 

Installing FireGPG 

NOTE: The latest official version of FireGPG supports only Firefox 3.6. During 
the creation of this manual we also worked on making an updated version of 
the plugin for Firefox 4.0. It should hopefully become available on the website 
of the developer soon. If you are keen on using FireGPG now, you will have to 
stick to Firefox 3.6 

Please also note that using gmail with FireGPG is problematic at best. There 
used to be special support for gmail in FireGPG, but it is no longer up-to-date. 

These are the steps necessary to install FireGPG. 

1. Go to the website 

2. On the upper side of the website, click on Install > Install FireGPG. 

3. Download the extension by clicking on 



4. Firefox will ask you whether you want to allow to install the extension. 
Click on Allow. 

5. Firefox will ask you whether you want to begin installing the extension. 
Click on Install now. 

5. The installation window should appear like below. Click on Next to begin. 

FireGPG Assistant - Welcome 

FireGPG Assirtant ^ 

Welcome! The assstan.t will help you to configure FireQPQ. If you're a new i^et it's recommended to follow it to get a working configuration, 
WKal ever you choose to do. youwiibeableto use the option windows to change any option later. 

Here is some information about icons and color used: 

O Thb suggest a Kilutiort or something you should do 
Q Thbissomethiriiggoo^d 
W Thisisa problem 

This is for advanced users. If you don't understand it, don't worry and don't change it, 
This means help IS available. Mouse over the icon for the tooltip. 


6. You should have GnuPG installed, as has been described in the chapters 
about Installing PGP. In the next window of the FireGPG installer, it tells us it 
has found GnuGPG. Click on Next. 


FireGPG Assistant - GnuPG 



FireGPG u&e&QnuPGto handle any pgp operation. Tlii& means GnuPQ must be in stalled for FireQPQ to work, 
Q GnuPG seemsto beaccessibleand working. 

5? Do yoii want to set a custam homedir for GnuPG ? 
I Set a home ditr 


7. In the next window FireGPG asks you wiietheryou want to enable special 
gmail functions. Alas, those functions are broken. Click on 'Enable gmail 
support' to disable the option. Click Next. 

FireGPG Assistant - Gmail 

Gmail support 

FireGPG can he integrated with gmail: additional buttons to encrypt and/or sign mails are added and you will be 
able to decrypt and verify signatures oF any email that contains them. 

n [Enable gmail support 

Stop I 


8. In the next window FireGPG asks you foryour default secret key to decrypt 
messages with. If you have more than one e-mail address with PGP, you can 
select the preferred one. If you select 'Ask for private key' FireGPG will ask 
you for the key every time you sign a message. In the example below we have 
selected the single secret PGP key we will use. Afteryou have made a 
decision, click Next. 

Private k&y 

The PGP s-yEtem works with a private key and a public key. You sign messages with your pnvate key and an other user verifies your signature with 
your public key, If they want to send to you a message they useyour public key. and you, and only you. car decrypt it with your private key, 

© You hsve at least one prh/ate key in you r keyrin 
O Set a defairlt k«r 

iaine Id Created Expire B 

Ask for private key 

9. FireGPG asks you for installation components. The default components are 
fine. Click on Next. 


FireGPG Assistarl - Optioris ^U 


Here you tan ^et global options for some FireGPG features; 

[V] Enable Inline detection 
Disable GPG-AgenI 
W\ Enable FireGPG API 

rn Enable gpgAuth 


10. The installation should now be finished. Click on Close. 

FireGPG Assistant - Done J _ ^^C^^^^K" iaw^^l 

Done! -3 

Assistant is now done, Now you should be able to use FireGPG. 

9 Read the documentation 

You will find seme links en this page 

O Translate FireGPG 

Horrible mistake in your language for FireGPG? Here is the website! 

O Help FireGPG 

How to contribute to FireGPG 
Report a bug or ask for a new feature 


Working with FireGPG 

FireGPG works by selecting blocks of plain text in text boxes and doing 
actions on the them, like decryption, encryption, signing, etc. You can actually 
also use FireGPG to do basic key management like importing a public key. 

The keyring FireGPG works with is the same one that you use with 
Thunderbird, so your PGP actions will be compatible and synchronized. 

Example of decrypting an e-mail or text 

A PC P encrypted message directed to yourself should automatically be 
detected by FireGPG. You can recognize a decrypted message by the following 


Display onainal | Decivpt | Switch 

Click on 'Decrypt' to display the message. 
Example of encrypting an e-mail or text 

when you have the public key of the recipient on your keyring, select the 
piece of text you want to encrypt by mouse, then right-click on it. You will a 
sub-menu called FirePGP. Select FirePGP > Encrypt. See the example below. 


(/j) green host 

^ E-Msil Q Address Book |^ Setlings Q) Help @ LcgDul 

<* H ^-1^ # ^^Affl a 


Sender | niajJfl6nm@gree/i1osLriJ ; | 

KeciBieni |onnetev@gmaJLcom 

Add Cc 1 A*t ace 1 Atftl Reply-To 

Subject 1 E^ mail - please decrypt the body 





Sendnow Cancel ^HyUllH EditDrtvDe[ Plain text ^ | 


A window will appear. Select the recipient from the list of available public 
keys. Then press 'Ok.' 


default title 

Select the public keys: 



Created Expires 

ton <> CDD69DCEFB7F094A 2011-5-1 




You will now see the encrypted message in the mail window. A PGP encrypted 
message is nothing but a bunch of characters delimited by special lines with 
dashes. Selecting the entire body of the PGP message, including the lines with 
BEGIN and END, and then going to the FireGPG menu, will allow you to 
manually decrypt, or do other actions. 




Introduction to securing personal 

You may find it necessary or perhaps re-assuring to encrypt some data on 
your computer. Hard drives are not very well protected by the Operating 
Systems password mechanism - it is pretty easy to remove a hard disk from a 
laptop and access it from another computer, similar to how you would access 
any hard disk you use for back-up or storage. So if you want to avoid this 
possibility you should encrypt the data on your hard disk or, better still, 
encrypt your entire hard disk. 

You can also take this protection another level and encrypt the data and store 
it on another device like a USB stick or small hard disk. This means the data 
can also be very easily physically hidden and its also very portable. If you 
want to be really really sneaky you can also create hidden encrypted volumes 
which means if someone accesses your hard disk they must know quite a bit 
about computers to know how to find it - of course if you have the software 
installed to do this kind of thing that might not look so friendly to someone 
prepared to go to these measures. 

'Encrypting your data' like this means locking away your data in a very secure 
'container'. If you do not know the passwords then that data will look like a 
mess of letters, numbers and other characters. If you know the password you 
can easily open and access the files. 

We will look mainly at TrueCrypt - a free/open source solution to this issue. 
TrueCrypt is a very nice software that can be used on MaxOSX, Linux or 
Windows for establishing and maintaining an on-the-fly-encrypted container 
('volume'). On-the-fly encryption means that your data is encrypted when you 
save it and then also de-crypted when you open (access) it without you 
needing to do anything. You can continue to use your computer like you 
normally would - you can drag and drop files to an encrypting data etc. When 
you turn off the computer the data is encrypted automatically - the same 
thing happens if your computer's power supply is interrupted or if the disk is 
removed from your computer The only way to access the data is to start your 
computer in the normal fashion and entering the necessary passwords. It's 
actually pretty easy to use and in a sensible world all data would be stored in 
this fashion. The only issue you really need to consider is that the data is not 
encrypted automatically if you put your machine 'to sleep'. If you want this 
type of security you need to get used to waiting a while and do a real 
shutdown of your computer and a real start-up each time you you use it. This 
is not the way people are usually working with laptops but this little extra 
attention and pause for a few moments is a small price to pay for good data 


Installing TrueCrypt 

TrueCrypt can be installed on Windows, Linux, or MacOSX. The installation 
files are available here: 

The following gives complete detail on how to install TrueCrypt on your 
computer for each of these Operating Systems, starting with Ubuntu. 

Installing on Ubuntu 

TrueCrypt is not available in the standard Ubuntu repositories. This means 
you cannot use the Ubuntu Software Center or apt-get (a command line 
method for installing software on Ubuntu) to install it. Instead you must first 
visit the TrueCrypt downloads page ( 

You will see a drop-down menu under the heading Linux. 

(Select a package] 

Download .tar.gz containing an eKecutable setup file PGP Signature 

From the '(Select a package)' drop down menu you can choose from four 

standard - 32-bit tKSS] 
[standard - S4-bit {kBA-) 
Console-only - 32-bit [KS65 
Console-only - S4-bit [K64] 

This is a little technical - the console version is the one you choose if you are 
either very technical and don't like Graphical User Interfaces oryou wish to 
run this on a machine that you have only a terminal (command line or 'shell') 
access to (like a remote server for example). 

Assuming you are running this in your laptop its best to choose the easy 
'standard' option - this will give you a nice user interface to use. From these 
two options you need to choose the one most suitable for the architecture of 
your machine. Don't know what this means? Well, it basically comes down to 
the type of hardware (processor) running on your computer, the options are 
32-bit or 64-bit. Unfortunately Ubuntu does not make it easy foryou to find 
this information if you don't already know it. You need to open a 'terminal' 
from the Applications->Accessories menu and type the following, followed by 
the [enter] key 


The output will be something like 'Linux bigsy 2.6.32-30-generic #59-Ubuntu 
SMPTue Mar 121:30:46 UTC 201ix86_64 GNU/ Linux'. In this instance you can 
see the architecture is 64-bit ('x86_64'). In this example 1 would choose the 
'Standard - 64-bit (x64)' option. If you see '1686' somewhere in the output of 
the uname command then you would choose the other standard option to 

Once selected press the 'download' button and save the file to somewhere on 
your computer. 

So the installation process is still not over. The file you downloaded is a 
compressed file (to make downloading it is faster) and you need to first de- 
compress the file before you install it. Fortunately Ubuntu makes this easy - 
simply browse to the file on your computer and right click on it and choose 
'Extract Here'. 



^ Open with Archive Manager 


•^ Open with Archive Mounter 
Open with Other Appiication... 


Make Link 


Copy to > 

Move to y 

Move to Trash 

Send To... 


You will see a new file appear next to the compressed file: 


truecrypt-7.0a-linux- truecrypt-7.0a-Eetup- 
xS4.tar.gz xS4 

Nearly done! Now right click on the new file and choose 'open' : 


Open with Word Processor 
Open with Other Application... 


Make Link 
Copy to 
Move to 

Move to Trash 

Send To... 


If all is well you will see a window open like this: 



Do you want to run "truecrypt-7.0a-setup- 
x64", or display its contents? 

"truecrypt-7.0a-setup-xS4" is an executable text file. 

Run In Terminal Display 




choose 'run' and you see the following: 





TrueCrypt 7,0a Setup 

TrueCrypt is a softuare systen for establishing and Maintaining an 
on-the-fly-encrypted volune (data storage device) + On-the-fly encryption 
neans that data are autonaticaily encrypted or decrypted right before they 
are loaded or saved^ uithout any user intervention. Ho data stored on an 
encrypted volune can be read (decrypted) Mithout using the correct 
passuord/keyfile<s> or correct encryption keys. Entire file systen is 
encrypted (e,g+^ file nanes^ folder nanes^ contents of every file^ 
free space^ neta dataj- etc). 

Please select one of the belou options: 

(EkIO (Ewtract ,tar Package FileJ ftnstall TrueCryptj 

Now we are getting somewhere. 'Install TrueCrypt'. You will be 
displayed a user agreement. At the bottom press 'I accept and agree to be 
bound by the license terms' (sounds serious). You will then be shown another 
info screen tellingyou you can uninstall TrueCrypt. Press 'OK' then you will be 
asked foryour password to install software on your computer. Enteryour 
password and then you will finally see a screen like this: 

TrueCrypt Setup 


Installing package... 

usr/b i n/truecr-ypt 

usr/b i n/truecr-ypt-un i nsta 1 1 . sh 

usr/share/app licat i ons/truecnypt . desktop 

usr/share/p i xmaps/truecr-ypt , xpm 

usr/share/truecrypt/doc/L i cense . txt 

usr/share/truecrypt/doc/TrueCrypt User Guide.pdf 

Press Enter to exit... 


Believe it or now your are done. ..TrueCrypt is installed and you can access it 
from the Applications->accessories menu. ..close the setup window. Now 
proceed to the chapter on Using TrueCrypt. 


Installing on OSX 

1. To install TrueCrypt on OSX first visit the download page 
( and press the download button under 
the OSX section. 

M^c OS X 

( Download j .dmg package (PGP Signatjre ) 

2. Download this to your computer find the .dmg file and open it to acces the 
installation package. 

BBR ^ u=l TrueCrypt 7.Qa C^ 

TrueCrypt 7.0a.mpkg 


3. Open the installation package, and click away through the dialogues. 


^^ InBtall TrueCrypt 7,0a 

Select a Destination 

8 Intrjxluction^^i 
e Destination Select^ 

■ InEtallation 
• Installation - 

■ Summ; 

Select the disk where you want to install the TrLeCrypt 
7.0a software. 

Macintosh HD 
35,2 5 CBfree 
499,76 CS total 

Installrng this software requires 1?,7 MB of space. 

You have chosen to instaii this software on the disk 
'Macintosh HD". 

r Co Back J \[ Continue 

4. Choose the standard installation, (you can choose to do a customized 
installation and deselect FUSE, but why would you? You need it!) 


^ Install TrueCrypt 7.0a 

Standard Install on "Macintosh HD" 

e Introduction 

6 Destination Seiect 

O Installation Type 

■ Installatior ^ 

I Summi 


This will take 12,7 MB of space on your computer. 

Click install to petform a standard installation of 

this software on the disl< '^Macintosh HD". 

( Change Install Location... ) 

(^ Customize ") 

( Co Back ^C. install 

6. After the installation finishes you can find the program in your Applications 


fr^ n n [^ Applkations CDj 



Installing on Windows 

To install TrueCrypt on Windows first visit the download page 
( and press the download button under 
the Windows section. 

Windows ?/Vist3/XP/2000 

1 Download | TrueCrypt Setup 7.0a.eKe (3.3 MB) 

1 PGP Signature | 

Download this to your computer and then double click on the file. You wil 
see a license agreement. 

True Cryp t Setup 7. Oa 


Vou must accept these license terms before you can use^ extract^ or install TrueCrypt, 

IMPORTANT: By checking the checkbox below and clicking Accept^ you accept these license terms and 
agree to be bound by and to comply v\"ith them. Click the 'arrow down' icon to see the rest oF the license. 

TrueCiypt License Version 5.0 ^| 

SoftViiare deUiCiyted under tiiis taiense c disUAutied an an "AS 15" aA5l5 WITHOUT WARRANTIES OF ANY 

I . Definitions I 1. 

1 . 'Ttic Prodijcr ftaaf\s ttie wfvk {induding, biJt net IrrWtAd tu.. SMttt cfd^ gtaf)t\ks. t£»^ and 

accan^^ymg fites) n^e arva^ie unda and go^i^ned by ttiis veraon d" diis k^se {' Licenser j. as n^ be ^ 

\ I accept and agree to be bound by the license terms 

TrueCrypt Installer 






click on 'I accept and agree to be bound by the license terms' and then click 

Wizard Mode 

Select one oF the modes, If you are not sure which to selectj use the default mode. 

ff Install 

Select this option if you want to install TrueCrypt on this system. 

^ Extract 

If you select this optioHj all files will be extracted from this package but nothing will be 
installed on the system, Do not select it if you intend to encrypt the system partition or 
system drive. Selecting this option can be usefulj for example^ if you want to run 
TrueCrypt in so-called portable mode. TrueCrypt does not have to be installed on the 
operating system under which it is run. After all files are extracted^ you can direcdy run 
the extracted file 'TrueCrypt, exe' (then TrueCrypt will run in portable mode). 

TrueCrypt Installer - 


<Back li Next > 


Leave the above screen with the defaults and press 'Next >' and you will be 
taken to the Setup Options window: 


5etup Options 

Here you can set various options to control the installation process. 


Please select or type the location where you want to install the TrueCrypt program files. If the 
specified folder does not exists it w\\\ be automatically created. 

C;\Pfogfam Files\TfueCfypt\ 

W Install for all users 

P' Add TrueCrypt to Start menu 

1^ Add TrueCrypt icon to desktop 

P' Associate the .tc file extension with TrueCrypt 

\ Create System Restore point 

TrueCrypt Installer - 






You can leave this with the defaults, if you want to set up TrueCrypt just for 
yourself then consider not selecting the 'Install for all users'. However if you 
are installing this on your own machine and no one else uses the computer 
then this is not necessary. You may also wish to consider installing TrueCrypt 
in a folder other than the default. In which case click 'Browse' and choose 
another location. When you are done click 'Install' and the process will 

.meCrypt Setup 7.0a 


Please wait vvhile TrueCrypt is being installed, 



Installing C:\Program Files\TrueCrypt\TrueCfypt User Guide.pdf 

Installing C:\Program Files\TrueCrypt\License.txt 

Installing C:\Program Files\TrueCrypt\TrueCrypt.exe 

Installing C:\Program Files\TrueCrypt\TrueCrypt Format.exe 

Installing C:\Program Files\TrueCrypt\truei:rypt.sys 

Installing C:\Program Files\TrueCrypt\truei:rypt-x64.sys 

Installing C:\windows\system32\Drivers\truecrypt.sys 

Installing C:\Program Files\TrueCrypt\TrueCrypt 5etup.exe 

Adding registry entry 5oFti\iare\Classes\TrueQypt\/olume 

Adding registry entry 5oFti\iare\Classes\TrueQypt\/olume\Del^aultIcon 

Adding registry entry 5oFti\iare\Classes\TrueQypt\/olume\Shell\open\command 

Adding registry entry 5oFti\iare\Classes\.tc 

Adding registry entry 5oFti\iare\MicrosoFt\Windoi\is\CurrentVersion\Uninstall\TrueCrypt 

Installing TrueCrypt device driver 

Starting TrueCrypt device driver 

TrueCrypt Installer ■ 







When the installation is complete you will get a verification popup that it was 
successful. Close this window and click 'Finish' and all is done. Now proceed 
to the chapter on Using TrueCrypt. 


Using TrueCrypt 

The following are step-by-step Instructions on how to create, mount, and use 
a TrueCrypt volume. 

Creating a TrueCrypt Container 
Step 1: 

Install TrueCrypt. Then launch TrueCrypt by 

• double-clicking the file TrueCrypt.exe in Windows 

• opening Applications->Accessorles->TrueCrypt In Ubuntu 

• on MacOSX open It by clicking Go > Applications. Find TrueCrypt in the 
Applications folder and double click on it. 

Step 2: 

When the main TrueCrypt window appears. Click Create Volume. 


Volumes Favorites Tools Settings H^ip 

Siot Volume 

Size l^tjunt Directory 




<* J 












Create Volume 

H Never save history 

Select File... 

Volume Tools... I I Select Device... 

Mount I I Auto-Mount Devices „ DismountAii 


Step 3: 

You should see the TrueCrypt Volume Creation Wizard window appear on 


TniiCrypt Vo/ume Creation Wizard | _ || X | 





TnieCiypt Volume Creation Wizard 

O Create an encrypted file container 

Creates a virtual encrypted disk witliin a file. 
Recommended for inexperienced users. 

More information 

Create a volume within a partition/drive 

Formats and encrypts a non-system partition, entire 
external or secondary drive, entire USB stick, etc. 

Help 1 1 <Prev |[ Ne>!t> | | Cancel | 

where do you want to create the TrueCrypt volume? You need to choose now. 
This can be in a file, which is also called a container, in a partition or drive. 
The following steps will take you through the first option creating a TrueCrypt 
volume within a file. 

You can just click Next, as the option is selected by default. 

Step 4: 

Next you need to choose whether to create a standard or hidden TrueCrypt 
volume. We will walk you through the former option and create a standard 
TrueCrypt volume. 



TrvsCiypt Voiume Crtation Wizard 

Volimie Type 

O Standard TrueCiypt volume 

Select this option if you want to create a normal 
TrueCrypt volume. 

) Hidden TrueCrypt volume 

It may happen that you are forced by somebody to reveal 
the password to an encrypted volume. There are many 
situations where you cannot refuse to reveal the 
password (for example, due to extortion). Using a 
so-called hidden volume allows you to solve such 
situations without revealing the password to your 

More Information about hidden volumes 


< Prev Next > 


You can just click Next, as the option is selected by default. 

Step 5: 

Now you have to specify where to have the TrueCrypt volume (file container) 
created. Note that a TrueCrypt container behaves like any normal file. It can 
be moved or deleted as any normal file. 

TmsCrypt Vo/ume Crtation Wizard 

Voliuiie Location 


H N.ever save history 

A TrueCrypt volume can reside In afile (called TrueCrypt 
container), which can reside on a hard disk, on a USB flash 
drive, etc. A TrueCrypt container is just like any normal file 
[It can be, for example, moved or deleted as any normal 
file), click 'Select File' to choose a filename for the 
container and to select the location where you wish the 
container to be created. 

WARNING: If you select an existing file, TrueCrypt will NOT 
encrypt It; the file will be deleted and replaced with the 
newly created TrueCrypt container. You will be able to 
encrypt existing files (later on) by moving them to the 
TrueCrypt container that you are about to create now. 


< Prev 


click Select File. 

The standard file selector will now appear on screen (the TrueCrypt Volume 
Creation Wizard remains open in the background). You need to browse to the 
folder that the file should be created in and then type into the 'name' field the 
name for the file you wish to create. 




Specify a New TrueCrypt Volume 


Save in folder: 

J true 

p] Browse for other folders 

< U adam 


Create Folder 


Q^ Search 
©Recently Used 

IS adam 
B Desktop 
O File System 
S58CB Fllesyste... 
Q90GB Fllesyste... 


V I Modified 



Ail Flies 



We will create our TrueCrypt volume in the folder 'adam/true' and the 
filename of the volume (container) will be 'myencryptedfile'. You may, of 
course, choose any other filename and location you like (for example, on a 
USB stick). Note that the file 'myencryptedfile' does not exist yet -TrueCrypt 
will create it. Press 'Save' when you are ready. The file selector window 
should close. 

IMPORTANT: Note that TrueCrypt will not encrypt any existing files. If an 
existing file is selected in this step, it will be overwritten and replaced by the 
newly created volume (the contents of the existing file will be lost). You will 
be able to encrypt existing files later on by moving them to the TrueCrypt 
volume that we are creating now. 


Step 6: 

In the Volume Creation Wizard window (which was previously running in the 
background), click Next. 

Step 7: 

Here you can choose an encryption algorithm and a hash algorithm for the 

TnjzCFypt Voiutns Creation Wizard 


Encryption Options 

Encryption Algorithm 

FlPS-approved ciptier (Rijndaei, pubiistied in 1998) ttiat 
may be used by U.S. government departments and 
agencies to protect classified information up to tiie Top 
Secret levei. 256-bit key, 128-bit biock, U rounds (AES-256). 
Mode of operation is XTS. 

More information on AES 

Hasfi Aigoritfim - 



Information on fiasii aigoritfims 


< Prev 

Next > 


The TrueCrypt manual suggests that if you are not sure what to select here, 
you can use the default settings and click Next (for more information about 
each setting have a look at the TrueCrypt documentation website). 

Step 8: 

Now choose the size of your container. You should be fine with 1 megabyte 
but for this example we will enter '20' into the available field. 


TruBCiypt Volvrnt Creation Wizard 

Volimie Size 


Free space available: 445 MB 

Please specify the size of the container to create. Note that 
the minimum possible size of a voiume is 1^1 KB. 


<Prev Ne>!t> 


You may, of course, specify a different size. After you type the desired size in 
tiie input field, click Next. 

Step 9: 

This step is really important, choosing a password. 

The information displayed in the Wizard window about what is considered a 
good password, should be read carefully. 

Choose a strong password, type it in the first input field. Then re-type it in the 
input field below the first one. 


TrvBCiypt VoluFne Cr&atioFt Wizard 

Volmiie Password 



Confirm password: 

U display password 
O Use keyfiles 


It is very important that you choose a good password. You 
should avoid choosing one that contains only a single word 
that can be found in a dictionary (or a combination of 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password is 
a random combination of upper and iower case letters^ 
numbers, and speciai characters, such as @ -^ = $ * + etc. We 
recommend choosing a password consisting of more than 
20 characters (the longer, the better). The maximum 
possible length Is 64 characters. 


< Prev 

Next > 


When you are done click Next. 

Step 10: 

Now you must choose the format of your partition (this step may not be 
available for you under windows or OSX). If using Ubuntuyou can choose a 
Linux file type or FAT (Windows) for simplicity leave it at the default. 

TruiCrypt Voiumt Creation Wizard 


Format Options 

Fllesystem Options — 
Fllesystem type: FAT 

Volume Format Options 
_ Quick form,at 

In order to enable your operating system to mount your 
new voiume, it has to be formatted with a filesystem. Please 
select a fllesystem type. 

If your volume is going to be hosted on a device or 
partition, you can use 'Quick format' to skip encryption of 
free space of the volume. 


< Prcv 


Then press Next. 

Step 11: 

Next TrueCrypt tries to generate random information to help encrypt your 
container. For 30 seconds move your mouse as randomly as possible within 
the Volume Creation Wizard window. Move the mouse as much as possible 
for up to a minute. This significantly increases security by increasing the 
cryptographic strength of the encryption keys, security). Ivlove your mouse 
around until you are bored. 

TnjzCrypt Volufns Creation Wizard 


Volume Format 

Random Pool: ii:ioad:775c:df7Dd4 69D4190 . 
Header Key: 
Master Key: 

H Sh 

1 Abort 1 

Done 1 Speed Left 

IM PORTANT: Move your mouse as randomly as possible 
within tliis window. Tlie longer you move It, tlie better. Tliis 
significantly Increases the cryptographic strength of the 
encryption keys. Then click Format to create the volume. 


< Prev 



Then Click Format. 

TrueCrypt will now create a file in the folderyou selected with the name you 
chose. This file will be a TrueCrypt container, containing the encrypted 
TrueCrypt volume. This may take some time depending on the size of the 
volume. When it finishes this should appear: 



TrueCiypt Vofume Creation Wizard 

Volmiie Foniiat 

Random Pool: 3BE07BA4A2BA1D316FF2FBFA3B . . H S|h 
Header Key: 3Dg£5Agai7D35aE5B£BDa"CB51 . . 
Master Key: gE641E2666313Da9Da47D3S4Da . . 

TnieCrypt [x] l 

The TrueCrypt volume has been successfully created. 

ly as possible 

It, the better. This 

significantly Increases the cryptographic strength of the 
encryption keys. Then click Format to create the volume. 

Help tPrev Format Cancel 

Click OK to close the dialog box. 

Step 11: 

Well done! You've just successfully created a TrueCrypt volume (file 

In the TrueCrypt Volume Creation Wizard window, click Exit. 

Mounting the Encrypted Volume 
Step 1: 

Open up TrueCrypt again. 

Step 2: 

Make sure one of the 'Slots' is chosen (it doesn't matter which - you can leave 
at the default first item in the list). Click Select File. 



(:;■ TmeCrypt 

Volumes Favorites Tools Settings H^ip 

Siot Volume Size l^ount Directory Type 

«^ 5 

«^ ID 


Create Volume 



Select File... I 

B Never save history i Voiume Tools... | I Select Device... 


Mount I I Auto-Mount Devices I DismountAii Exit 

The standard file selector window should appear 

Step 3: 

In the file selector, browse to the container file (which we created earlier) and 
select it. 



Select a TrueCrypc Volume 


< IBadam 


©Recently Used 

IS adam 
B Desktop 
Q File System 
O58 GB Filesyste... 
O90GB Filesyste... 




Ail Flies 



Click Open (in the file selector window). 
The file selector window should disappear. 

Step 4: 

In the main TrueCrypt window, click Mount. 



Select a TrueCrypc VoSame 


./ < liada 


C^ Search 
©Recently Used 


V Modified 

9 myencryptedfile 

12 adam 
B Desktop 
O File System 
O5SGB Filesyste... 
OaOGB Filesyste... 



Ail Flies 

Cancel Open 

Password prompt dialog window should appear. 

Step 5: 

Type the password In the password Input field. 


Enter paiswofd for "fhome/adam/true/myencrypcedpl 



D Cache passwords and keyfiies In memory 


D Display password 

D Use keyfiies 


Options > 

Step 6: 

click OK In the password prompt window. 


TrueCrypt will now attempt to mount the volume. If the password Is correct, 
the volume will be mounted. 

Volumes Favorites Tools Settings JH^Ip 


slot Volume 

Size Mount Directory 


■*.. 1 

/home/adam/true/myencryp ted file 

19.8 MB 

/media/ truecryptl 
















Create Vcslume 

Volume Properties.. 

Wipe Cache 




' - ' 

Select File... | 

B Never save history 

Volume Tools... 1 

1 Select Device... | 


Auto-Mount Devices 

Dismount All 


If the password Is incorrect (for example, if you typed it incorrectly), 
TrueCrypt will notify you and you will need to repeat the previous step (type 
the password again and click OK). 

Step 7: 

We have just successfully mounted the container as a virtual disk 1. The 
container will appear on your Desktop oryou will see it in your file browser. 


what does this mean? 

The disk that you have just created is completely encrypted and behaves like 
a real disk. Saving (moving, copying, etc) files to this disk will allow you to 
encrypt files on the fly. 

You'll be able to open a file which is stored on a TrueCrypt volume, which will 
automatically be decrypted to RAM while it is being read, and you won't need 
to enteryour password each time. You'll only need to enter this when your 
mounting the volume. 

Remember to dismount! 

To do this right click on the drive and select unmount. This will automatically 
happen when you turn ofT your computer but will not happen if you just put 
the computer on sleep. 


Setting up a hidden volume 

A TrueCrypt hidden volume exists within the free space of a typical TrueCrypt 
volume. Given then the 'outervolume' is accessed it is (almost) impossible to 
determine if there is a hidden volume within it. This is because TrueCrypt 
o/ways fills the empty space of an encrypted volume with random data. So a 
hidden volume looks the same as an empty TrueCrypt volume. 

To create and use a hidden volume you need two passwords - one each for 
the outer and inner (hidden) volumes. When you mount (open) the volume 
you can use either password and that will determine which of the two is 
opened. If you want to open just the hidden volume you use one password, 
and if you want to access just the non-hidden encrypted volume you use the 
other password. 

To create a hidden volume open TrueCrypt and press the 'Create Volume' 

Volumes Favorites Tools Settings JH^Ip 

Siot Volume 

Size Mount Directory 


r " 



«>■■ J 













H Never save history 

Volume Tools... 

Select File... 

Select Device.. 

Mount j 1 Auto-Mount Devices j I DismountAII &lt 


The options for half of this process are almost the same as for setting up a 
standard TrueCrypt volume and then the process continues for setting up the 
hidden volume but lets go through the entire process step by step anyway. In 
the screen shown below you just want to stay with the default setting 'Create 
an encrypted file container': 

TnjzCrypt Volume Creation Wizard 






TrueCiypt Volume Creation Wizard 

O Create an encrypted file container 

Creates a virtual encrypted disk within a file. 
Recommended for inexperienced users. 

More information 

Create a volume within a partition/drive 

Formats and encrypts a non-system partition, entire 
externai or secondary drive, entire USB stick, etc. 


: £rev 



Press 'Next >' and continue to the next screen. 

Vohuiie Type 

standard TrueCrypt volume 

Select tfnis option If you want to create a normal 
TrueCrypt volume. 

O Hidden TrueCrypt volume ' 

It may happen that you are forced by somebody to reveal 
the password to an encrypted volume. Tinere are many 
situations where you cannot refuse to reveal the 
password (for example, due to extortion). Using a 
so-cailed hidden voiume allows you to solve such 
situations without revealing the password to your 

More information about hidden voiumes 


< Prev 




In the above screen you want to be sure that you choose the second option 
'Hidden TrueCrypt Volume'. Select this and click on 'Next >' you will then be 
asked to choose the location and name of the TrueCrypt outer volume. 


TrusCrypt Voiume Crtation Wizard 

Volimie Location 

B N.ever save history 

A TrueCrypt volume can reside in afiie (caiied TrueCrypt 
container), winicli can reside on a liard disk, on a USB flasli 
drive, etc. A TrueCrypt container is just lilte any normal file 
(It can be, for example, moved or deleted as any normal 
file). Cilck 'Select File' to choose a fiiename for the 
container and to select the location where you wish the 
container to be created. 

WARNING: If you select an e>iisting file, TrueCrypt will NOT 
encrypt it; the file will be deleted and replaced with the 
newly created TrueCrypt container. You wlii be able to 
encrypt existing files (later on) by moving them to the 
TrueCrypt container that you are about to create now. 


< Prev 



Click 'Select File...' and browse to a location for a new TrueCrypt volume. We 
will use the name 'myencryptedfile' in this example. Its the same name as we 
used in the last example so be aware that if you have just followed those 
instructions you must now create a new volume with a new name. 




Save in folder: 

Specify a New TrueCrypc Valams 




1^1 Browse for other folders 

< U adam 


■Create Folder 


Q^ Search 

©Recently Used 

IS adam 

B Desktop 

O File System 

O58CB Fllesyste... 

OSOGB Fllesyste... 


V Modified 



Ail Flies 



Browse to the directory where you want to put the outer volume and enter 
the name of the volume in the field named 'Name' as in the example above. 
When you are satisfied all is well click on 'Save'. The file browser will close 
and you return to the Wizard. Click 'Next >'. Here you are presented with 
some very technical choices. Don't worry about them. Leave them at the 
defaults and click 'Next >'. The next screen asks you to determine the size of 
the outer volume. Note that when you do this the maximum inner 'hidden' 
volume size is determined by TrueCrypt. This maximum size will of course be 
smaller that the size you are setting on this screen. If you are not sure what 
the ratio of outer volume size to inner (hidden) volume size is then go through 
the process now as a 'dummy' run - you can always trash the encrypted 
volume and start again (no harm done). 

So choose the size of the outervolume, I will choose 20MB as shown below: 


TrvBCiypt VoluFne Cr&atioFt Wizard 

Voliune Size 


Free space available: 445 MB 

Please specify the size of the container to create. Note that 
the minimum possible size of a voiume is 29^ KB. 


< Prev 

Next > 


You cannot set the outer volume size to be larger than the amount of free 
space you have available on your disk. TrueCrypt tells you the maximum 
possible size in bold letters so create a volume size sailer than that. Then click 
'Next >' and you will be taken to a screen asking you to set a password for the 
outer (not the hidden, this comes later) volume. 

TwiLrypt VoiuFTii Crtation Wizard 

Volimie Password 



Confirm password: 

|_l Display password 
n Use keyfiles 


It is very important that you choose a good password. You 
should avoid choosing one that contains only a single \pvord 
that can be found in a dictionary (or a combination of 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password is 
a random combination of upper and iower case letters, 
numbers, and speciai characters, such as t^ -^ = $ * + etc. We 
recommend choosing a password consisting of more than 
20 characters (the longer, the better). The maximum 
possible length Is 64 characters. 


< Prev 

Next > 



Enter a password that is strong (see the chapter on creating good passwords) 
and press 'Next >'. Next TrueCrypt wants you to help it create the random 
data it will fill the volume up with. So wave your mouse around, browse the 
web, and do whatever you want for as long as you can. When you feel 
TrueCrypt should be happy then press 'Format'. You will see a progress bar zip 
by and then you will be presented with the next screen: 



Outer Volume Contents 

Outer volume has been Euccessfully created and mounted as 
7media/truecrypt2'. To this volume you should now copy 
some sensitive-looking files that you actually do NOT want 
to hide. The files will be there for anyone forcing you to 
disciose your password. You will reveai only the password 
for this outer volume, not for the hidden one. The files that 
you reaily care about will be stored In the hidden volume, 
which wlil be created later on. When you finish copying, 
click Next. Do not dismount the volume. 

Note: After you click Next, the outer voiume wlli be 
analyzed to determine the size of uninterrupted area of free 
space whose end Is aligned with the end of the volume. This 
area wlil accommodate the hidden volume, so Itwill ilmit 
Its maximum possible size. The procedure ensures no data 
on the outer voiume are overwritten by the hidden volume. 

1 Open Outer Volume 1 


: ?r£v 



You can open the outervolume if you like but forthis chapterwe will skip 
that and go ahead to create the hidden volume. Press 'Next >' and TrueCrypt 
will work out how the maximum possible size of the hidden volume. 


Hidden Vohiine 

The volume cluster bitmap has been scanned and the 
maximum possible size of the hidden volume has been 
determined. In the next steps you will set the options, the 
size, and the password for the hidden volume. 


: £rev 

Next > 


When you see the above screen just press 'Next >'. Now you must choose the 
encryption type for the hidden volume. Leave it at the defaults and press 
'Next >'. 

Hidden Volume Enciyption Options 

Encryption Algorithm 



FlPS-approved ciplner (Rijndaei, pubiished in 1998) that 
may be used by U.S. government departments and 
agencies to protect classified information up to the Top 
Secret levei. 25S-bit key, 128-bit biock, U rounds (AES-256). 
Mode of operation is XTS. 

More information on AES 

Hash Aigorithm - 

j R1PEMD-16D |0 Information on hash ai^orithms 


< Prev Ne){t> 

Now you will be asked to choose the size of the hidden volume. 


Hidden Volume Size 


Maximum possible hidden voiume size for tiiis 
voiume is 19.6 MB, 

Please specify the size of the hidden volume to create. The 
minimum possible size of a hidden voiume is 40 KB (or 3664 
KB if it is formatted as NTFS). The maximum possible size 
you can specify for the hidden volume Is displayed above. 

Please note that if your operating system does not allocate 
files from the beginning of the free space, the maximum 
possible hidden volume size may be much smaller than the 
size of the free space on the outer volume. This not a bug In 
TrueCrypt but a limitation of the operating system. 


< Prev 



I have set (as you see above) the maximum size as lOMB. When you have set 
your maximum size press 'Next >' and you will be promoted to create a 
password for the hidden volume. 

Hidden Vohiine Password 

Confirm password: 

l_' display password 
Use keyfiles 


It Is very Important that you choose a good password. You 
should avoid choosing one that contains only a single word 
that can be found In a dictionary [or a combination cf 2, 3, 
or 4 such words). It should not contain any names or dates 
of birth. It should not be easy to guess. A good password Is 
a random combination of upper and lower case letters, 
numbers, and special characters, such as @i -^ = $ * + etc. We 
recommend choosing a password consisting of more than 
20 characters (the longer, the better). The maximum 
possible length Is 64 characters. 



when creating the password for the hidden volume make sure you make it 
substantially different fro the password for the outer volume. If someone 
really does access your drive and finds out the password for the outer volume 
they might try variations on this password to see if there is also a hidden 
volume. So make sure the two passwords are not alike. 

Enteryour password in the two fields and press 'Next >'. 


Foniiat Options 

Filesystem Options 
Filesystem type: || FAT 

Volume Format Options- 
I _ Quick format 

In order to enable your operating system to mount your 
new volume, it has to be formatted wltln a filesystem. Please 
select a filesystem type. 

If your volume is going to be hosted on a device or 
partition, you can use 'Quick format' to sltlp encryption of 
free space of the volume. 


< Prey Next > 


Leave this window at the defaults and press 'Next >' and you will be presented 
with the same screen you have seen before to generate random data for 
TrueCrypt. When you are happy click 'Format' and you should see the 
following : 



Trae Crypt 

The hidden TrueCrypt volume has been successfully created 
and is ready for use. If all the instructions have been followed 
and if the precautions and requirements listed in the section 
"Security Requirements and Precautions Pertaining to Hidden 
Volumes" in the TrueCrypt User's Guide are followed, it should 
be Impossible to prove that the hidden volume exists, even 
when the outer volume is mounted. 



The TrueCrypt manual it Is referring to is not this manual. They mean this 
manual : 

Click 'OK' and keep and exit TrueCrypt. You can now mount the volume as 
noted in the previous chapter. 


Securely destroying data 

Just hit the delete button and you are done! No it's not that easy. To 
understand how to securely delete data, we have to understand how data is 
stored. In an analogy to the real world, an explanation of how data is stored 

Assume you have a small notebook with 10 pages and you want to write some 
data in this notebook. You just start writing on the first page up to the end of 
the notebook. Maybe you decide the information on page 5 must be 
destroyed. Probably you will just take out the page and burn it. 

Unfortunately data on a harddisk doesn't work this way. A harddisk contains 
not ten but thousands or maybe even millions of pages. Also it's impossible to 
take out a "page" of a harddisk and destroy it. To explain how a harddisk work, 
we will continue with our 10-page notebook example. But now we will work a 
little bit different with it. We will work in a way similar to how a harddisk 

This time we use the first page of our notebook as an index. Assume we write 
a piece about "WikiLeaks", then on the first page we write a line "piece about 
WikiLeaks: see page 2". The actual piece is then written on page 2. 

For the next document, a piece about "Goldman Sachs" we add a line on page 
1, "Goldman Sachs: see page 3". We can continue this way till our notebook is 
full. Let's assume the first page will look like this: 

• WikiLeaks -> see page 2 

• Goldman Sachs -> see page 3 

• Monstanto scandal -> see page 4 

• Holiday pictures -> see page 5 

• KGB Investigation -> see page 6 

• Al Jazeeraa contacts -> see page 7 

• Iran nuclear program -> see page 8 

• Sudan investigation -> see page 9 

• Infiltration in EU-politics -> see page 10 

Now, let's decide you want to wipe the "Goldman Sachs" piece, what a 
harddisk will do, it will only remove the entry on the first page, but not the 
actual data, your index will be: 

• WikiLeaks -> see page 2 

• Monstanto scandal -> see page 4 

• Holiday pictures -> see page 5 

• KGB Investigation -> see page 6 

• Al jazeeraa contacts -> see page 7 

• Iran nuclear program -> see page 8 

• Sudan investigation -> see page 9 

• Infiltration in EU-politics -> see page 10 


what we did, we removed only the reference to the article, but if we open 
page 3, we will still able to read the Goldman Sachs piece. This is exactly the 
way what a harddisk does when your "delete" a file. With specialized software 
it still able to "recover" page 3. 

To securely delete data, we should do the following: 

1. Open the "Goldman Sachs" page (page 3) 

2. Use an eraser to remove the article there, if done return to page 1 

3. Delete the reference in the index on page 1 

Well you will be surprised by the similarity between this example and the real 
world. You know when you removed the article on page 3 with an eraser, it is 
still possible to read the article slightly. The pencil leaves a track on the paper 
because of the pressure of the pencil on the paper and also you will be unable 
to erase all of the graphite. Small traces are left behind on the paper. If you 
really need this article, you can reconstruct (parts) of it, even if it's erased. 

With a harddisk this is very similar. Even if you erased every piece of data, it is 
sometimes possible with (very) specialized hardware to recover pieces of the 
data. If the data is very confidential and must be erased with the greatest 
care, you can use software to "overwrite" all pieces of data with random data. 
When this is done multiple times, this will make the data untraceable. 

Securely delete data under Windows 

For Windows there is a good open source tool called "File Shredder". This tool 
can be downloaded from 

The installation is very straightforward, just download the application and 
install it by hitting the next button. After installation this application will 
automatically start. You can then start using it for shredding files. However 
the best part of the program is that you can use it from within windows itself 
by right clicking on a file. 


1. click right on the file you want to shred, and choose File Shredder -> 
Secure delete files 

mart ■■ Documents ■■ » |B3| ; 

; Views ▼ |_J Open H E-mail ^ Share 

Mame ■^ \ -\ Date rfiodiPied | -| Type | --I 51 


^ Document? 
^ Picture? 
^ Music 

I Desktop 

1^ AppData 
[p^ Application Data 
^ Contacts 
^ Cookies 
f Desktop 
P Document? 
, Downloads 
J . Green host documents 
'jif httprecon-7,3[l] 
|£ httprecon-7.3 
^ coril^ig 



Greenhost docciriients 

[?] My Music 
[?] My Pictures 

My Stationery 
V [f] My Video? 

Other document? 



Sensetive document about Facebook leaks,.. Date modified: 4/30/201 

ODTFile 5ise: 100 MB 

Date created: 4/30/201 

2. A pop-up asks if you really want to shred this file 

3. After confirming, there your file goes. Depending on the size of the file 
this can take awhile 

Folder; c;\u5er5\mart\docunnents\ 

File; sensetive document about Facebook leaks 

1 oF 1 

Wiping Method DOD 5220-22M (pass 2) 



Securely delete data under MacOSX 

There are basically to build-in steps to make to securely delete your data on 
Mac OSX. 

1. Erase the free-space on your hard-drive containing all the data of items 
which are deleted in an unsecure way. 

2. Make sure that every file from then on is always securely deleted. 
We start with the first one: 

Erasing Free Space 

1. Open Disk-Utility which resides in the Utilities folder inside the Applications 

^ nri ^ Lcilicles 

Disk Utility 



2. Select your hard drive and click on 'Erase Free Space'. 




^ ^ 

Macintosh HD 

'^' -^ w ■^; ^ iJ l^ 

Verify Info Bum Unmount Eject Enable Journaling ^iew imaqe Convert Resize Image 

First Arcf ■ Erase ' RAID Restore 

To erase all data on a disk or volume: 

L Select iJie disit of volume in the li&t on itie left. 

2 Spedfv a format and name, 

3 If you want to prevent the recovery of the di5k'^ eraied data, click Security Optiotts. 

4 Click Erase. 

To prevert the K-covefyof previousiv deteted files without erasing the volume, select a 
volume ir the list on the left, and click Erase Free Space. 

Formal: [ Mac OS Extended goumaiedl 

Nam*: Madnto&li HD 

1^ Security Options... J (^ Erase. .^ J 


Mount Point 

/ Capacity 

-199,76 CB H99.763.S8S.1ZS Bytes) 


Mac OS Extended Uourfialed) Available 

32,04 CB (32.04L.054.ZOB Bytes) 

Owners Enabled 

Yes Used 

A^yjZ GB {467.7^^.833.9^0 Bytes) 

Number of Folders 

207 97S Number of Files 


3. Three options will appear, from top to bottom more secure, but also they 
take much more time to complete. Read the descriptions on each one of 
them to get an idea from what will happen If you use them and then choose 
which one might suite your needs the best and click 'Erase free Space'. 

If time Is no issue, then use the most secure method and enjoy your free time 
to get a good cofFee while you Mac crunches away on this task. If the crooks 
are already knocking on your front-door you might want to use the fastest 


Erase Free Space Options 

These options write Oiferthe unused space on tiie selected disitor voiume 
to prevent disk recovery applications from recovering deleted Files. 

Note: Secure Erase overwrites data accessible to Mac OS V,. Certain types 
of rriedia may retain data that Disk Utiiity cannot erase. 

! Zero Out DeJeted Fiies 

This provides goad securit?/ and is quick. It: writes zeros o^rtlie unused 
space iji tile disk once. 

O 7-Pas5 Erase of Deleted Files 

This option provides better security and takes 7 times longer tlian "Zero Out 
Deleted Files.' it writes over tine unused sp^ce in the disl< 7 times. 

6 35-Pass Erase of Delered Files 

This option provides tiie best security and takes 35 times ionger than "Zero 
Out Deieced Fiies.' It writes twer the unused space in the disk 35 times. 


(^ Cancel j f Erase Free Space J 

Securely Erasing Files 

Now that your previously deleted data is once and for ever securely erased 
you should make sure that you don't create any new data that might be 
recovered at a later date. 

1. To do this open the finder preferences under the Finder Menu. 
File Edit View 

About Finder 


Empty Trash... -CMeO 
Secure Empty Trash... 


Hide Finder 
Hide Others 
Show All 


2. Go to the advanced tab and tick 'Empty trash securely'. This will make sure 
that every time you empty your trash all the items in it will be securely deleted 
and are really gone! 

C] Show all filename extensions 

0Show warning before changing an extension 

M Show warning before emptying the Trash 

H Empty Trash securely 

When performing a search : 

Search This Mac 


Note 1: Deleting your files securely will take longer then just deleting them. If 
you have to erase big portions of unimportant data (say your movie and mp3 
collection) you may wanna untick this option before doing so. 

Securely delete data under Ubuntu/Linux 

Unfortunately currently there is no graphical user interface available for 
Ubuntu to delete files secure. There are two command-line programs 
available though. 

• shred 

• wipe 

Shred is installed in Ubuntu by default and can delete single files. Wipe is not 
installed by default but can easily be installed with using Ubuntu Software 
Center or if you understand the command line you can install it with apt-get 
install wipe. Wipe is a little more secure and has nicer options. 

It is possible make access to these program's easy by adding it as an extra 
menu option 


2. Open the "Nautilus Actions Configuration" from the System -> 
Preferences menu 



Help and Support 
About GNOME 

About Ubuntu 

^ About Me 
jf Appearance 
^a Assistive Technologies 
@ Biuetootln 
\_Sj Email Settings 
liMiii Keyboard 

I i| Keyboard Input Methods 
P Keyboard Shortcuts 
_^# Main Menu 

^# Messaging and VoIP Accounts 
iS Monitors 
1^1 Mouse 

'-^} Nautilus Actions Configuration k I 
[^ Network Connections 
,^ Network Proxy 
I i^fj OpenJDKJava 6 Policy Tool 

3. We have to add a new action. To do this, start clicking on the "create 
new action button", the first option in the toolbar 


: t^ O 

Actions list : [Lri]|iS>||^] 



f Nautilus Item 


Context label ; 

Toolbar label : 

□ Display item in selection context menu 
O Display item in location context menu 

□ Display item in the toolbar 

□ Use same label for icon in the toolbar 

Tooltip ; 
icon ; 

T Browse.,. 

Action properties . 

y Enabled 
n Read-only 

Id. ; 
I/O provider ; 

menu(s), action(s), profile(s) are currently loaded 



4. Next is describing the new action. You can give the action every name 
you wish. Fill out this title in the "Context label" field. In this example 
we used "Delete file securely" 

Edit View lools Help 

Actions list : [QJ|iiii|p^ 
Delete fite securely 

Action Command Folders Conditions Advanced conditions 

Nautilus item 

Display item in selection context menu 
n Display item in location context menu 

(t label 

; Delete flie securely | 

■ Display item in the toolbar 

E Use same laUel for icon in the toolbar 

3r label 

1 Delete file securely | 


1 1 


II T 1 |Hrowse...| 

Action properties 

n Read-only 
Id. ; 39912403-3c49-45a4-9360-71661dl09abb 
I/O provider : 

menu(s), 1 action(s), 1 proflle(s) are currently loaded 



5. Click on the second tab ("Command"), here is how we specify the action 
we want. In the field "Path", type "wipe", in the field parameters type "- 
rf %M", please be sure about the capitalisation of all characters here, 
this is very important. 

^ m 


Actions list : Ijfi i«> K? 

.Delete file securely 

Action Command Folders Conditions Advanced conditions 


Label : Defauit profile 

Command . 

Path ;| wipe ||Browse...| 

Parameters : ' -rf %M 1 | Legend | 
e.g., wipe -rf/path/to/file.txtM 

menu(s). 1 action(s), 1 proflle(s) are currentiy loaded 



6. Next is specifying the conditions, click on the conditions tab and choose 
the option "Both" in the "Appears if selection contains..." box. With this 
option you can wipe both files and folders securely. If done, click the 
save button (second item on the icon bottom toolbar) or use the menu 

File Edit View lools Help 

^ 1^ 

Actinns Mst : IjJi Lsn v 

Delete file securely 

Action Command Folders 


Advanced conditions 

Appears if 1 




matches •. 



Match case 



Appears if selection contains . 

O Only flies O Only folders ® Both 

G Appears if selection has multiple files or folders 

menu(s), 1 actlonCs), 1 proflie(s) are currently loaded 


7. Now close the Nautilus Actions Configuration tool. Unfortunately, after 
this, you have to re-login into your system, so ether reboot or 

8. Now browse to the file you want to securely delete and right click: 


choose 'Delete File Securely'. The file will then be wiped 'quietly' - you 
do not get any feedback or notice that the process has started or 
stopped. However the process is underway. It takes some time to 
securely delete data and the bigger the file the longer it takes. When it is 
complete the icon for the file to be wiped will disappear. If you would 
like to add some feedback you can change the parameters field in 
Nautilius Actions Configuration tool to this: 

-rf %M I zenity --info -text "your wipe is underway please be patient. 
The icon of the file to be wiped will disappear shortly." 

The above line will tell you the process is underway but you will not 
know the file is deleted until the icon disappears. 





Introduction securing remote 
connection: VPN 

Everybody wants to get connected to the internet, everywhere at every 
moment. People use whatever method is available, ranging from WiFi 
networks to rolling out cables on the street. It is even possible to make an 
internet connection using satellites or mobile networks. The urge to get 
connected is more important than making sure the connection is safe. Even 
though many people know connecting to a open wireless network is unsafe, 
people still act as if there is no alternative. 

Although you can encrypt your web and email communication, this is 
unfortunately not true for all applications. There is no such encryption for 
MSN and nobody knows what kind of encryption Skype uses and whether it is 
easily to be tapped. Therefore it would be nice if you can protect your 
connection in a more general way. This is possible with a VPN, which stands 
for "Virtual Private Network". 

Understanding the communication path 

To get more security it's important to know what a VPN can and can't do for 
you. Therefore it's important to have a basic understanding of the way the 

When connecting to the internet every request is going through multiple 
'hops' (often called routers). At every hop a system administrator (or 
government institution) can spy ('sniff') on your connection. Often at least 5 
to 10 hops are required before your request reaches the server. This means 
there are at least as many places where your information can be sniffed and 
leaked without your knowledge 

In general (but not always!), the networks get more secure down the road. 
For example, if you are in China at a cafe with an unencrypted wireless 
connection, requesting information about Liu Xiaobo on the site it's very possible that this piece of 
information is located on a server in Amsterdam. If so, your request will travel 
through multiple places and each hop is vulnerable: 

1. the wireless network at the bar - everybody in and around the bar will 
be able to see your request; 

2. the wireless modem/router of the bar - the bar owner, or somebody 
with physical access to this modem/router, will be able to see your 


the (multiple) routers of the connection provider- In China these are 
controlled by the government (and probably blocked in this case), so 
the system administrator(s) of these networks will be able to see the 
request. Maybe some hundreds of system administrators have the 
access to 'sniff' your request. 

some routers in Europe - for example routers at the German Internet 
Exchange Denic in Frankfurt. Most of these systems are very well 
maintained and secured, but the request is still viewable by the involved 
system administrators; 

and finally your request will arrive at the server of Wikipedia in 
Amsterdam and of course the system administrator of this system will 
be able to see your request. 

Securing the weak points 

It's very important to understand that the weakest points on this path - the 
bar and in the country where you are - are also controlled by the people who 
are most interested in your requests. Therefore it's very interesting to secure 
this part of the path. It would be great if you can somehow change the path 
so it appears like your request originated in (for example) Germany instead of 
China. This is possible with VPN technology. 

Get more security by default (with a VPN) 

A VPN (Virtual Private Network) encrypts and tunnels all Internet traffic 
between yourself and another computer (VPN server). This computer might 
belong to a commercial VPN service, your organization, or a trusted contact. 

Because VPN services tunnel all Internet traffic, they can be used for e-mail, 
instant messaging. Voice over IP (VoIP) and any other Internet service in 
addition to Web browsing, making everything that travels through the tunnel 
unreadable to anyone along the way. This makes your connection more 
secure by default. 

If the tunnel starts at your laptop in China and ends at your VPN-provider in 
Germany, this can be an effective method of circumvention, since all the hops 
in China will only see encrypted data and have no way of knowing what data 
is passing through the tunnel. It has the additional effect of making all your 
different kinds of traffic look similar to an eavesdropper. 

It is important to note that the data is only encrypted until the end of the 
tunnel, and then the data travels unencrypted to its final destination. 


To explain the whole journey In more detail: 

By using a VPN provider In Germany your request will once again be 
forwarded through multiple places. This time howeveryour computer will 
build a VPN connection (a "tunnel") to a server In Germany, so the traffic will 
be as follows: 

1. All the hops to the VPN server in Germany will only see some 
unreadable encoded data - this includes the network from the bar and 
the Chinese firewall; 

2. The VPN server in Germany will receive the encrypted traffic and will 
decrypt it, so it can send It to some router at Denic - the request will be 
viewable here by the system administrator; 

3. Finally your request will arrive at the server of V^/ikipedia in Amsterdam 
and once again the system administrator of this system will be able to 
see your request. 

So while not securing all parts of the data path the points where you might be 
most vulnerable are pretty well obscured. 

Since many international companies use VPN technology to allow employees 
who need access to sensitive financial or other Information to access the 
companies' computer systems from home or other remote locations over the 
Internet, VPN technology is less likely to be blocked than the technologies 
used only for circumvention purposes. 


Note: The communication is only safe on one part of the path 

Keep in mind that if you are communicating witii a local website or person in 
China, your connection will be encrypted from China to Germany, but from 
Germany back to China (to this website or person) is unencrypted if this 
person is not using the proper security measures! This is important to keep in 
mind when communicating with local people. You may bring them and 
yourself in danger. 


Getting and testing a VPN account 

In all the VPN systems, there is one computer set up as a server (In an 
unrestricted location), where one or more clients connect to. The set up of 
the server is out of the scope of this manual and the set up of this system Is In 
general covered by your company or VPN provider. This server Is one of the 
two ends of the tunnel. It Is that Important the company running this server 
can be trusted and Is located In an area you trust. So to run a VPN, an account 
Is needed at such a trusted server. 

Please keep In mind that an account can often only be used on one device 
concurrently. If you want to login on a VPN with both your mobile and laptop. 
It Is very well possible you need two accounts. 

An account from your company 

A lot of companies are running local VPN servers. It Is very well possible you 
can get an account there easily. Check with your system administrator If this 
Is possible and ask for the technical possibilities. 

An account from a free or commercial VPN-provider 

If you don't have the possibility to get an account from your company, you 
can register for an account on the Internet, there are dozens of providers. 
Although some companies ofTer free accounts, they seem to be disappearing 
fast. For a stable account it seems the best to go for a paid option. For a few 
euro's a month It Is possible to get an account. Always choose for a provider 
that offers a standard protocol like L2TP/IPsec, PPTP orOpenVPN. Explanation 
of the differences between these standards Is up next. 

A (semi up-to-date) overview of free en commercial providers can be found at 
cship. org's wiki ( 

VPN standards 

There are a number of different standards for setting up VPN networks. 
Including PPTP, LL2P/IPSec and OpenVPN that vary In terms of complexity, 
the level of security they provide, and which operating systems they are 
available for. Naturally, there are also many different Implementations of each 
standard within software that have various other features. 



PPTP is one of the older VPN technologies. While PPTP is known to use 
weaker encryption than either L2TP/IPSec or OpenVPN, it may still be useful 
for bypassing Internet blocking and give some level of encryption. The client 
software is conveniently built into most versions of Microsoft Windows, 
Apple, Linux computers and even mobile phones. It is very easy to setup. 


L2TP (in combination with IPSec) is a very well-known VPN solution. A lot of 
devices support these VPN connections out of the box. This includes all 
mainstream Operating Systems like Windows, MacOSX and Linux, but also 
support is standard in both Android and iPhone phones. Unfortunately to set- 
up a good L2TP/lPSec server is complicated. Because the wide-spread 
implementations of the (complex) protocol, there are some differences 
between disparate versions. Therefore, the protocol is not always working 
flawless, so check if it works. If it is running, this is one of the best and safest 


OpenVPN is a well-respected, free, open source VPN solution. It works on 
most versions of Windows, MacOSX and Linux. OpenVPN is SSL-based, which 
means it uses the same type of encryption that is used when visiting secure 
Web sites where the U RL starts with https. Despite the open character of the 
product it is currently not very well supported by mobile phones. Also the 
configuration of this protocol under Windows en MacOSX requires additional 
software, while PPTP and L2TP/IPSec are both available by default. 


There are dozens of other implementations. We advise to stick to one of these 
three methods as these are very common en well supported. But maybe there 
is a good reason to use other methods under some circumstances. 

Testing before and after account set up 

If you decide to set up a VPN, it is important to check if it is working at all. 
The best way to do that is to check before and after the set up. Before setting 
up the connection, the "world" will see you from the location where you 
really are. This can be simply checked on: (Make sure you spell this correctly) 


Although this page is a little commercial, it does do a nice job in displaying 
your external IP address and the location where you are. Please note, this 
location is not necessarily your exact location, but in most cases at least the 
country should be correct. 

Afteryou have set up your connection, you can visit this page again. Then it 
should display a different location: the location where your VPN-provider is 

1. Before setting up a VPN, this site returns that we are in Berlin 
(Germany), which is correct: we are in Berlin. 

-^ ■""#* " © ^ ^ ' ' »*' ilittp:// t| | '*1* |w>iat is my u['!^| ^ 
..^^Disable" ~Cooki&ST ,_jcsbt OFormsT lailmagesT ©informatioriT O Miscellaneous ▼ j/Outlir>eT JJl 
'B http://bDQki,,,.t:urity/edit/ W | %1 What I& My IP Address?,,. X \ '^ 

^1 Whatis 
%! MylPAddress 

What Is MylPAddress? (Now detects many proty 


IP Informaiion: 

ISP. Versatel Deutschlartd 

GSG Asset GmbH S Co. Verwalturig; 



Read; GeoLocatipn accuracy 

Location not accurate? Try ; Browser qeolBcalion 


None Detected 





Comtry: Germany IH 1 

|8&.247.181.2 I Additicinal IP Details I 

2. After have set up the VPN, the site tells us that we moved to the 
Netherlands, which is correct: that is where our VPN-provider is 
located. People in Berlin won't be able to snifF our connection. 

^DisableT ^Cookie 

%■. http;//wha 


.||.3T|whatlsmy ur^l ® i 

s ^ Forms" 

-i Images o 

ig) Informations 

OMIsceilaneous* ^OutlineT ^jRet 

/Bhttp:/ /booki....curity/eijitJ H | >1 whatJs My IP Address?,.. X |^ 

■^, WhaUs 

I' MylPAddress 

What Is My IP Address? (Now detects many croxv servers } 

_ IP Intormallon: 

iSP' Samagevaf 
Organzation: Samagevof 

f^r|nppf^-||r^p Rrr^gHhanH 


e ^rlIjei.' I 200 rfl raarfflrr 

Read: GBoLocation accuracy 
Location not accurate? Try: Browser qeobcatton 

PrcKy. None Detected 


1 | Additional IP Details | 


Setting up your account 

In the following chapters some examples are given for setting up an account. 
These manuals mostly cover LT2P/PPTP like connections. If you want to use 
OpenVPN on Windows or MacOSX, have look at: (Windows interface) (MacOSX interface) 


VPN on Ubuntu 

If you use Ubuntu as your operating system, you can connect to a VPN by 
using the built-in NetworkManager. Tiiis application is able to set up networks 
with OpenVPN and PPTP. Unfortunately at the time of writing a L2TP interface 
is not available in Ubuntu. (It can be done manually, but it goes beyond the 
scope of this document). 

The following example will explain how to connect with a PPTP-server and an 

This document is divided in three parts. The first part covers the general 
installation of required elements and is necessary for both types of VPN- 
tunnels. The second and third part describe the configuration for PPTP and 
OpenVPN parts. 

Under all situations we assume you already have a VPN account as described 
earlier in this section. 

1. Preparing Network Manager for VPN networks 

For Ubuntu there is an excellent network utility: Network IManager. This is the 
same utility you use to set up your Wireless (or wired) network and is 
normally in the upper right corner of your screen (next to the clock). This 
tools is also capable of managing your VPNs, but before it can do so, it's 
necessary to install some extensions. 


Installing PPTP and OpenVPN extension for Network Manager 

To install the pluglns for Network Manager we will use the Ubuntu Software 

1. Open the U buntu Software Center from the Applications menu located 
at the top left of your screen 

Applications ^^^^^^ 


w^^bl 'W 




1^ Games 



j^ Graphics 



^ Internet 



1^ Office 



S] Sound & Video 



@ System Tools 



^ Wine 



^ Ubuntu Software Center 

^H|Lets vou choose from thousands of ^^H 

^^|free applications avail 

able for Ubuntu^^l 

2. The Ubuntu Software Center enables you to search, Install and remove 
software on your computer Click on the search box at the top right of 
the window. 

f. ^ Get Software 
H instiled Softv^are 


1 ^ 1* 1 Get Software 


Ubuntu Software 





Departments | 

fe li 


Accessories Education 



Games Graphics 


32616 items available 


In the search box, type in "network-manager-openvpn-gnome" (which is 
the extension that will enable OpenVPN) and/or "network-manager- 
pptp-gnome" (which is the extension for PPTP). It's necessary to type 
the full names because the packages are classified as "technical" and 
don't pop-up earlier. 

These packages include all the files you need to establish a VPN 
connection successfully. You can decide to install both extensions or 
only the one you need. 

> ^ Get Software 
■ Installed Softt^are 

^ ^ Get Software Search Results C^ --openvpn-gnoine| ..■f 

^ network management framework (OpenVPN plugin, GNOME Ul] 

■"" network-manager-ooenvpn-grome 

More Info 1 Install 


1 matching item 

4. Ubuntu may askyou for additional permissions to install the program. If 
that is the case, type in your password and click Authenticate. Once the 
package is installed, you can close the Software Center window. 

Authentication is required to 
install software packages 

An application is attempting to perfomi an action that 
requires privileges. Authentication is required to perform this 

1 matching item 


5. To check if the extensions are correctly installed, click on the 

NetworkManager (the icon at the left of your system clock) and select 
VPN Connections > Configure VPN. 

6. Click Add under the VPN tab. 

>:' Wired T.,\\ Wireless i.ill Mobile Broadband I'z'i VPN 0f DSL 


Last Used 

VPN Connection 1 
VPN Connection 2 

2 hours ago 








If you see a pop-up asking for the type of VPN and the tunnel 
technology (OpenVPN or PPTP) option is available, this means that you 
have installed the VPN extension in Ubuntu correctly. If you have your 
VPN login information ready, you can continue right away, else you first 
have to get a VPN account from a VPN-provider. If this is the case, click 
cancel to close the Network Manager. 


Choose a VPN Connection Type 

Select the type of VPN you wish to use for the new 
correction. If the type of VPN connection you wish to create 
does not appear in the list, you may not have the correct VPN 
plugin installed. 



Compatible with the OpenVPN sen/er. 




2. Configuring a PPTP network on Ubuntu 

If you want to set up OpenVPN, you skip this section and jump to "3. Set up 
OpenVPN on Ubuntu" 

Let's assume have your credentials from your VPN provider for PPTP ready. 
This information should contain the following: 

Username, ex. bill 

Password, ex. verysecretpassword 

VPN server, ex. 

Before getting started, please be sure you have read the paragraph 
"testing before and after account set up". In this way you will be able to 
validate if your connection is actually working after set up. 


If you have installed all software in the previous chapter, we are now 
ready to go. Setting up PPTP is very simple in Ubuntu: first we open the 
VPN network setting, by using the NetworkManager Utility. Just next to 
your system clock (were you also set your WiFi setting), just click on it 
and the following menu pops up. Choose Configure VPN (under VPN 

3. A new window will pop-up, showing your VPN connection. This list is 
empty if you have not configured a VPN before. Simple choose: Add 

Wired ^||| Wireless t.ill Mobile Broadband fii VPN DSL 


Last Used 

VPN connection 1 

9 minutes ago 








4. The next window will show you the available options. In This case make 
sure you choose Point-to_point Tunneling Protocol (PPTP). If you have 
selected this protocol choose "Create ..." 


Choose a VPN Connection Type 

Select the type of VPN you wish to use for the new 
connection. If the type of VPN connection you wish to create 
does rot appear in the list, you may not have the correct VPN 
plugln installed. 

Point-to-Point Tunneling Protocol (PPTP) | t 


Compatible with Microsoft and other PPTP VPN servers. 

Cancel Create... 


5. In the next pop-up fill out the required information. The connectname is 
just the name to identify this connection with. The gateway is the server 
address of the VPN provider, in this case "" are self 
explanatory., the fields "User name" and "Password" 

Please pay special attention to the "Connect Automatically" option. If 
enabled, the VPN will be always online (if available). This setting is 
recommended if you have an unlimited dataplan with you VPN provider. 

Also it's needed to enable encryption. This can be done with the 
advanced options, so choose "Advanced..." 

Connection name: I VPN to Greenhost 

Connect automati 

IPv4 Settings 



Gateway; tunnel, 


User name: 

NT Domain; 


n Show password 

D Available to all users 

Cancel Apply 


In the advanced options screen enable: "Use Point-to-Point encryption 
(MPPE)". The utility will give you a warning that some authentication 
methods are not possible with MPPE. This is the expected behaviour 
You can confirm the settings with "OK" to return to the previous 
window. Please "Apply" this window, and we nearly ready to go. 


Allow the following authentication methods: 



SeciiPitT^ncf compressiorT 

Use Point-to-Point encryption (MPPE) 


n Allow stateful encryption 
Allow BSD data compression 
Allow Deflate data compression 
Use TCP header compression 


D Send PPP echo packets 




7. Now you will return to the overview. If everything went fine, you will 
have a new connection now. Here it's called "VPN to Greenhost". You 
can close this window now, your settings are complete. 

Wired |^.|| Wirjg||,|y|,y,gyj,e Broadband 

Q VPN \0 d: 


Last Used 

VPN connection 1 

9 minutes ago 

VPN to Greenhost 









Now, let's activate the VPN. Hit the Network Utility Tool again, browse 
to "VPN Connections" and next "Click on VPN to Greenhost" 


If everything went fine, look at the small change in the notification icon: 
this should now give you a "lock" icon next to the WiFi signal. 

3. Configuring an OpenVPN networl< 

Let's assume you received your configuration files and credentials from your 
VPN provider. This information should contain the following 

• an *.ovpn file, ex. air.ovpn 

• The file: ca.crt (this file is specific for every OpenVPN provider) 

• The file: user.crt (this file is your personal certificate, used for 
encryption of data) 

• The fiie: user.key (this file contains your private key. It should be 
protected in a good manner. Loosing this file will make your connection 

In most cases your provider will send these files to you in a zip file. 

Before getting started, please be sure you've read the paragraph "testing 
before and after account set up", this way you will be able to validate if 
your connection is actually working after set up. 


2. Unzip the file you have downloaded to a folder on your hard drive (e.g.: 
"/home/[yourusername]/.vpn"). You should now have four files. The file 
"air.ovpn" Is the configuration file that you need to Import into 



# • © I iSi ■ I ^ 100% ^ I Icon View |t| Q^ 

Places T I 

d genghis 
U Desktop 
^ File System 
^ Netwohi: 

Iti] Documents 
i^ MLsic 
i@ Pictures 
^ Videos 
lili Downloads 
IB MX Server 

Location: /home/genghis/.vpn 

1^841 I 


4- items. Free space; 397.6 GB ^ 

3. To import the configuration file, open Networl<Manager and go to VPN 
Connections > Configure VPN. 

Connect to Hidden Wireless Network... 
Create New Wireless Network... 


4. Under the VPN tab, click Import. 

Wired f.A Wireless i.i|| Mobile Broadband g) VPN dsl 


Last Used 

VPN Correction 1 
VPN Connection 2 

3 hours ago 







5. Locate the file airovpn that you have just unzipped. Click Open. 

a 01 

\ti genghls .vpn 


Name » size | Modingfl.ii 

Q. Search 
©Recently Used 

1 ^ air.ovpn 

4B4 bytes 09:35 „ 

U iKer.crt 

5.0 KB 09:35 


a Desktop 

Lj uE^rkey 

1 6 KB 09:35 

Q File System 

8 Documents 

« Music 


a Videos 


Add Remoi'e 


6. A new window will open. Leave everything as it is and click Apply. 

Connection name: 


Connect automatically 


IPv4 Settings 





User Certificate: 
CA Certificate: 
Private Key 
Private Key F^ssword: 


Certificates (TLS) 

1 ▼ 

Lj user.crt 


l_j ca.crt: 


LJ user, key 


D Show passwords 

;^ Advanced... 

D Available to all users 




7. Congratulations! Your VPN connection is ready to be used and should 
appear on the list of connections under the VPN tab. You can now close 

Wired <si|| Wireless t.ill Mobile Broadband gi VPN dsl 


Last Used 

VPN Correction 1 
VPN Conrectior 2 

3 hours ago 








Close , 

Using your new VPN connection 

Now that you configured NetworkManager to connect to a VPN service using 
the OpenVPN client, you can use your new VPN connection to circumvent 
Internet censorship. To get started, follow these steps: 


1. In the NetworkManager menu, select your new connection from VPN 

2. Wait for the VPN connection to be established. V^/hen connected, a 
small padlock should appear right next to your NetworkManager icon, 
indicating that you are now using a secure connection. Move your 
cursor over the icon to confirm that the VPN connection is active. 

3. Test your connection, using the described method earlier. 


4. To disconnect from your VPN, select VPN Connections > Disconnect 
VPN in the Networl<Manager menu. You are now using your normal 
(filtered) connection again. 


VPN on MacOSX 

Setting up a VPN on MacOSX is very easy once you have your account details 
ready, Let's assume have your credentials from your VPN provider for 
L2TP/lpSec connection ready. This information should contain the follov\/ing: 

• Username, ex. bill2 

• Password, ex. verysecretpassword 

• VPN server, ex. 

• A Pre-Shared-Key or Machine-certificate 

1. Before getting started, please be sure you've read the paragraph "testing 
before and after account set up", this way you will be able to validate if 
your connection is actually working after set up. 

2. A VPN is configured in the network settings, that are accessible via 
"System Preferences.." in the Apple menu. 

Finder File Edit View Go Window Help 

About This Mac 
Software Update,., 
App Store.,. 

System Preferences,.. 



Recent Items 


Force Quit Finder 



Shut Down,.. 


Log Out Douwe Schmidt., 



3. Next, open the Network preferences . 

I.i? O ^' ^^^^^^H System Preferences 


TlB ^W 


Appearance Desktop Si Dock Exposed language & Security Spotlight 

Screen Saver Spaces Text 



CDs & DVD& Displays Energy Ink Keyboard Mouse Trackpad Prints Fan 



Internet & Wire! 

Mobfl^e Network Blu^ooth Sharing 



Accounts Date & Time Pafental Software Speech Startup Disk Time Wachine Universal 

Controls Update Access 


■^ i±h 

AppTrap Bamboc Flip4Mzc Gfowl M€njM€Ters Perian Xmarks Zimbra 

WMV for Safari 


4. OSX uses this nifty system to lock windows. To add a VPN it is necessary 
to unlock the screen: you can do this by clicking on the lock on the left 
bottom of the screen. 

Not Connected 


Not Connected 

Location: ' Automatic 


Status: Connected C "l"^^" AirPart Off ^ 

AirPort is connected to BETAHAUS GUEST 
and has the IP address 192, L6S. 1.51, 

Network ^Jame; I BETAHAUS GUEST 


HAsktojoin new networks 

KnoMn networks will be Joined automatically, 
If ro known! networks are availabk. vou will 
be asked before Joining a new network. 

Click tie lock to make changes. 

5. Enter our user credentials 

0?hDW Airport status in menu bar :.^ Advanced... j Cf) 

(^ Assist me... ^ C ^^^^^ 3 C ^PP*Y 3 



Type your password to aflow System 
Preferences to malie changes. 

^ Details 

Name: John 
Password: j«»»*< 

( Cancel ) ( OK ) 


6. Now we can add a new network. Do this by clicking on the "+" sign 

le O ^' ^^^^H Network 



Location; ' AutomaTic 

Not Corinected 



status: Connected C T^^" AirPort Off j 

AirPort is connected to BCTAHAUS CUEST 
and has the IP add re &s L92.L6S.1.5L, 

Networi< Name: ' BETAHAUS GUEST 

Ask ro Join new networks 

Knonr netMitk^ v^ill be Joined dutQniatkally. 
If ro known networks are available, •<fo\i will 
be asked before joining a new network. 

raShow AirPort status in menu bar . Advanced.. . J Cf) 

Clict tiie lock to prevent further changes. f Assist me.,. ^ '' Revert '^: C Appiy ^ 

7. In the pop-up you need to specify the type of connection. In this case 
choose an VPN interface with L2TP over IPSec. This is the most common 
system. Also don't forget to give the connection a nice name. 

Select the interface and enter a name for the new service. 

interface: ' VPN 


VPN Type: L?TP over IPSec 


Service Nitne: ICreenhostVPN 

( Cancel ) (^ Create ) 


Next comes the connection data. Please fill in the provided server name 
and user name (called 'Account Name'). If this is done, click on the 
"Authentication Settings..." button 


Location: ' Automatic 

. AirPort 


Not Connected 


Not Connected 

Green host VPN 

Not Configured 




Server Address: 

Account Name: 

(^?hDW VPN status i 

Not Configured 

1 Default h&< 


(^Authentication Settings... J| 

( Connect ^ 

1 menu bar ( Advanced... ^ 


Cliclc the Jock to prevent further changes. 

(^ Assist me... ^ C R^VGrt ^ C ^PPlV 3 


In the new pop-up you can specify connection specific information. This 
is the way the user is authenticated and how the machine is 
authenticated. The user is very commonly authenticated by using a 
password, although other methods are possible. Machine 
authentication is often done by a Shared Secret (Pre-Shared-Key/PSK), 
but also quite often by using a certficate. In this case we use the Shared 
Secret method. When this is done click OK. 

User Authentication : 

© Password: I 


O Certificate Select.. . ) 
C Kerbs ros 
O CryptoCarrf 

Machine Authentication: 

Shared Secret: |..*.. | 


— 1* 

Group Name: | 



Cancel ) ( 0< 



10. Now you return back to the network screen. The next step is very 
important, so click on "Advanced..." 




Location: ! Ajtoimatic 


Status: Not Configured 

Configuration: [ Default 

Server Address: tunnel. greenhost.nL 

Account Name: |bill2 


(^ Authenticatiori Settings .Tj 
( Connect j 

J Show VPN status in menu bar I (^ Advanced... j|(?) 

elicit tfia lock to prevent further thangas. f Assisn me... ^ f Revert J ( Apply ^ 


11. In the new pop up you will see an option to route all traffic through the 
VPN connection. We want to enable this, so all our traffic is encrypted. 

Creenhost VPN 

Options VPN on Oetnand TCP/IP DNS ■ Proxies V- 

Disconnect when switching user accounts 
[^Disconnect wlnen user iogs out 


Send all traffic over VPN connection 
_ Disconnect if idle for 10 minutes 


d! Use verbose logging 


( Cancel ) ( OK ) 


12. Well, all Is done. Now hit the Connect button! 


Location: ' AuTomaTic 



Not Connected 


Not Connected 

Creenhost VPM 

Not Configured 


Status: Not Configured 


f Default 


Server Address: 

tunnel. greenhost.nF 

Account Name: 



[ AiJtlierticatior Settings. 


Show VPN status in menu bar ( Advanced... J Cf) 

Clict the lock to prevent further changes. 


13. A pop-up appears. You need to confirm your changes, just hit "Apply" 

_„,^T^.__ Connecting without appfylng your changes will 
tSv^^ use the previous settings. Would you like to 
L^iif^ iapply your changes beFore connecting? 

(^ Don't Apply J [ Cancel .: ( Apply j 


14. After a few seconds, on the left side the connection should turn green, if 
so, you are connected! 



, Ethernet 

Not Corifiected 

, UvA 
Not Connected 


LocatJDn: I Ajtomatic 



Connect Time 

Server Address: 
Account Name: 

□ Show VPN status 


00:00:25 Sent: DDDDDDDDDD 

L92.16S.87.9 Received: nOOQDDDODD 

! Default M^ | 


( Authentication Settings... ) 
( Disconnect ") 

n menu bar ( Advanced... ) (?) 

m ClicJc the lock to prevent further thangas. 

15. Ok, now test your connection! 

Assist me... ^ 1 Revert 

Apply J 


VPN on Windows 

Setting up a VPN on Windows is very easy once you have your account details 
ready. Let's assume have your credentials from your VPN provider for 
L2TP/lpSec connection ready. This information should contain the following: 

• Username, ex. bill2 

• Password, ex. verysecretpassword 

• VPN server, ex. 

• A Pre-Shared-Key or Machine-certificate 

1. Before getting started, please be sure you've read the paragraph "testing 
before and after account set up", this way you will be able to validate if 
your connection is actually working after set up. 

2. We need to go to the "Network and Sharing Center" of Windows to 
create a new VPN connection. We can access this center easily by 
clicking on the network icon next to the systemclock en click on "open 
Network and Sharing Center" 


3. The "Network and Sharing Center" will popup. You will see some 
information about your current network. Click on "Connect to a 
network" to add a VPN connection. 

Change adapter s-ettings 

Change advanced sharing 

See also 
lintemef Options 
Windows Firewall 

View your basic network information and setup connections 

(This computer) 
View your active networks 

Hetvirork 2 

Public network 

Connect or disconnect 

Access type; Internet 

Connections; B Local Area Connectic 

Changeyour networking settings 

^Qt Set up a ne>fV connection or network 

5et up a wireless, broadband, dial-up. ad hoc, or VPN connection; or set up a router o 

^Cp Connect to a network 

Connect or reconnect to a 

«ired, dial-up. or VPN network connection. 

^M± Choose homegroup and sharing options 

Access files and printers located on other network computers, or change sharing settings, 

I 2^1 Trouhleshoc-t problems 

Diagnose and repair network problems, or get troubleshooting information, 


4. The wizard to setup a connection will popup. Choose the option to 
"connect to a workplace", which is Microsoft's way of naming a VPN 


(Srv ^y ^st Up ^Connection or Network 

Choose a connection option 

Con n ect to the Intern et 

Set up a wireless., broadband, or dial-up connection to the Internet. 

Hyh' Set up a new network 

■-^■'^ Configure a new router or acce^5. point. 

Set up a dial-up connection 
' Connect to the Internet using a dial-up connection. 


5. The next screen asks us if we want to use our Internet connection or an 
old-skool phone line to connect to the VPN. Just choose the first option 


Ubi Cc^nne^^a Workplace 


How do you want to connect? 

Use my Internet connection (VPN) 

Connect using a virtual private network (VPN) connection through the Internet. 

8 •• 

^ Dial directly 

Connect directly to a phone number without going through the Internet. 

y^/ — s 

What is a VPN connection? 


6. The next screen asks for the connection details. Enter here the server of 
your VPN-provider (called "Internet address" in this dialog). On the 
bottom please check the box "Don't connect now; just set it up". Using 
this option the connection will be automatially saved and it's easier to 
control extra settings. If this is all done, hit the "next" button 

1 . ^ 

1 1= 1 1=1 Ik^^il 


Ltfj ConnecfatP a Workplace _ ^^K 

Type the Internet address to connect to 
Your network administrator can give you this address. 

Internet address; tunnel. greenhostnl 1 

Destination name: | SreenhostVPNl 

Irl Use a smart card 

^ n Allow other people to use this connection 

Th i s option allows anyonewlthaccesstothiscomputertousethisconnection. 

1 [V] Don't connect now; just set it up 5D lean connect later 1 


1 Ns(t j 1 Cancel | 1 


Next up are your username and password. Just give them like you 
received them from your VPN-provider. If the connection fails, windows 
forget's them. So l<eep them with you, you maybe need them later. If 
this is done. Click "create". 

Lika C&nnec^o a Workplace 

1 = 




Type your user name and password 

User name; | '''"^ 


Password; 1 •"— 

O Show characters 

in Rem em ber th i & p a sswo rd 

Domain (optional]: 

Create | | 



Your connection is now available, if you click the the network icon 
again, you will see a new option in the network menu, the name of your 
VPN connection, just click it to connect. 

Currently connected to; 


Network 2 

Internet access 

Dial-up and VPN 



Open Network and Sharing Center 


9. And click "connect" 

Currently connected to; 


Network 2 

Internet access 

Dial-up and VP^f 



Open Network and Sharing Center 

-; ^ V '<■< 


10. A VPN connection dialog appears. This give us tiie opportunity to review 
our settings and to connect. You can try to connect, Windows will try to 
discover all other settings automatically. U nfortunately, this does not 
always work, so if this is not working for you, hit the "properties" 

i' Connect Greenho5t VPN 

User name: 




[r] Save this user name and password for the following users : 

Me only 

1^ Aiyone who uses this computer 

\ ^^^ r 





11. The properties windows appear. The most important page is the 
"Security" page, click on the Security tab to open it. 

Greenhost VPN Propwtjel 

I ^SM 


Options I Security | Networking | Sharing | 

Host name or IP addness of destination Isucti as or or 3ffe:1234::1 111): 

Rrst connect 

Windows can firet conned to a public neiwoik. such as the 
Intemet. before trying to establish this virtual connection. 

n Dial another connection first: 

See our online privacy statemerit for data collection and use 




12. In the security tab you can specify VPN type, normally L2TP/IPSec or 
PPTP. For L2TP/IPSec also have a look at the Advanced settings. 

Greenhost VPN PnopertfesJ 

\ m£S^. 

General Options Security Networking | Sharing 

Type of VPN: 

Layer 2 Tunneling Protocol withi IPsec {LZTP/iPSec) 

fl gt fl a narypt i an; 

Advanced settings j 

Require encryption {disconnect if server declines) 


© Use Extensible AutfierticSion Protocol (EW) 


^1 AJlow these protocols 

|r| Unencrypted password (PAP) 

[V] Challenge Handshake Authentication Protocol ICHAP) 

|7] Microsoft CHAP Ver^iori 2 (MS-CHAP v2) 

[rn Autorrratically use my Windows logon narrre and 
password (^nd dorrrain, if any) 




13. In the Advanced Settings window, you can specify if you are using a 
preshared key or a certificate. This depends on your VPN-provider. If 
you have received a pre-shared-l<ey, Select this option and fill in this key. 
Hit ok afterwards. You will return to the previous window, click ok there 

r " ^ 

Advanced Properties 

C*:' Use preshared key for authentication 

l<ey: seaetkey 

) Use oertificatE for authentication 
[71 Verif/ the Name and Usage attributes of the server "s certificate 



14. Back in to connection window try to connect now. Please be sure your 
username and password are filled out. 

User name: ^1112 
Password: •••••! 


[r1 Save this user name and password for the following users: 

Me only' 
^ rflyone who uses this computer 




Cancel I I Properties 


15. A connection popup will appear 

Connecting to Greenhosl VPN,., W 

M" f Connecting to tunnel .greenhost .nl using "^/V AN 
^ '(■ Mlnlport (LZTPy... 


16. Online! Don't forget to check if your VPN is working properly. 




Introduction to Mobile Phone Security 

Most people have mobile phones today. In the past these devices were 
primarily used to call and send text messages. In addition, all mobiles have at 
least an ability to keep an address book. There is a nev\/ generation of mobile 
devices that come with Internet access, built-in video cameras and the ability 
to install additional software. These smart phones can be very convenient and 
provide you with very powerful and useful tools. These phones contain a lot 
of private data and, unfortunately, a phone can be lost easily. The following 
chapter deals with some methods to use them more secure. 

Security issues with mobile phones 

Physical security - A phone can be confiscated or stolen. If you are a 
journalist, your address book might be of special interest: it can be used just 
to gain knowledge of your networkor for further social engineering. As a 
minimum safety measure you should always enable some kind of password 
protection on your phone (not just on your SIM card). 

Voice - Although the voice on a GSM (mobile phone) channel is encrypted, 
this encryption was hacked some time ago and is not considered safe any 
more. Furthermore, if you do not trust the network(s) you are using it has 
never been safe. Normal VoIP communications are very insecure as they are 
not encrypted. Some other VoIP services use some kind of encryption. 

SMS - Text messages are sent in plain text over the network, so they are also 
not considered secure, additionally they are not securely stored at your 
device, so anyone with access to it will be able to read them. If you are using 
an Android based phone read the chapter on 'Secure Text Messaging' 

Smartphones - Smartphones are quite new, and unfortunately most advanced 
(and even some basic) ways of securing that are available on normal 
computers are not available on smartphones. They pose additional risk since 
you are also using them for things like agendas, and personal note taking. Also 
not all applications in an appstore or market are safe to use, because there 
are a considerable number of malware apps on the market which are passing 
your personal data to other companies. You should always check if the app's 
you want to use can be trusted. Internet on your mobile device is subject to 
the same problems as all wireless communications. Read the chapter on VPN 
for mobile devices to improve this. 

Prepaid sim cards - In some countries you are still able to use prepaid locally 
bought SIMcards without identifying yourself. Beware that your phone also 
has a unique identifier (known as the IMEI number) so switching SIM cards 
will will not guarantee to protect your privacy. 


The following chapters will deal with different methods that are available 
today to secure your mobile communications. Note that mobile phone 
security in particular is developing very fast and users should check out the 
current status of premier open source efforts like the Guardian Project 


Secure Text messaging 

Sending SMS (text) messages is considered insecure, not only do they travel 
unencrypted through the phone network, they are also saved on your phone 
where someone might see them. 

If you are using an Android based smart phone there is a neat free tool to fix 
both issues; TextSecure. TextSecure uses a password to save all your messages 
(sent and received) encrypted to your phone, and it also enables you to 
securely SMS with other people using TextSecure. Rememberthat if you have 
sent an SMS to someone that is not using TextSecure it will still be 
unencrypted on their phone and over the network. 

Geek info on how TextSecure works 

SMS communication using TextSecure is encrypted using the Off The Record 
(OTR) encryption protocol. OTR is specifically designed for chat messaging, it 
provides session based encryption and authentication, but on top of that it 
provides deniability, something protocols like PGP do not provide. 

Installing TextSecure 

TextSecure can be installed using the Market App on your phone, either search 
for 'TextSecure' in the market, or use the QR code on this page with the 
Barcode Scanner. 

Afteryou have acknowledged the permissions and installed the app, you are 
ready to start it, as soon as you do so you are confronted with the "End User 
License Agreement", press accept to continue. A new pop-up telling you this is 
beta software will appear which you have to acknowledge too. 


'^Hll'^'0 3:25 pm 

Q End User License Agreement 

Tumbleweed Ventures, LLC offers 
the Whisper Systems Software and 
the Whisper Systems Website (as 
defined below) solely for your non- 
commercial use in accordance with 
the following terms and conditions. 
If you do not accept this 
Agreement, you do not have 
permission to use the Whisper 
Systems Software or the Whisper 
Systems Website. Any use by you 
of the Whisper Systems Software 
or the Whisper Systems Website 
shall constitute your binding 
acceptance of this Agreement. 

1. Definitions 


^SilS'C? 3:26 pm 

Q End User License Agreement 

Please Note 

Thank you for helping us test this 
BETAvesion of TextSecure. 

This is BETA software, please do 
not use it in situations where 
security is critical. 

Please report any problems to 

TextSecure uses a password to encrypt the text messages on your phone. Be 
careful to choose a strong password you can easily remember (for more 
information look at the section on using secure passwords), if you lose it you 
will not be able to read any of your old messages. To be sure you entered It 
correctly you have to enter the password twice. 


•^Hll'S'0 3:27 pm 


To get started, please enter a 
passphrase that will be used 
to locally encrypt your data. 
This should be a strong 


The next step is to tell if you want the messages already stored on the phone 
to be copied to the TextSecure database, If you choose "Copy" here you will 
be able to secure your old messages by deleting them from the system 
database later. 


Hil'^'0 3:30 pm 

Q End User License Agreement 

Tumbleweed Ventures. LLC offers 

-^ Copy System Text Message 
* Database? 

Current versions of TextSecure use 
an encrypted database that is 
separate from tine default system 
database. Would you like to copy 
your existing text messages into 
TextSecure's encrypted database? 
Your default system database will 
be unaffected. 

After this step you are ready to use TextSecure to send unencrypted 
messages. If other people also use TextSecure this is automatically detected, it 
will then present you with the option to send them your key. Exchange keys is 
needed to get full end-to-end encryption. This process is described in the next 
steps. It is also possible to manually start this process by clicking the menu 
button and choosing the option "secure session". 




Me: Test 

Sent: 3:38pm 

'^ Mart: Hello emile 

Sent: 3:39pm 

Sent key exchange message 

Sent: 3:41pm 

Received and processed key 

exchange message. 

Sent: 3:42pm 

after these steps your communications are secure, but you have not acquired 
a trust relation, put in other words, the channel is secure but you are not 
entirely sure who you're talking to. So keeping that in mind, the next thing to 
do is to verify that you are indeed talking to the right person (a sender's 
phone number can be easily forged, so you need a more secure way to check 
the identity). In the conversation window press the menu button and select 
"Secure Session Options". In the window that appears select "Verify Recipient 



Me: Test 

Sent: 3:38pm 

'^ Mart: Hello emile 

Sent: 3:39pm 

Sent key exchange message 

Sent: 3:41pm 

Received and processed key 

exchange message. 

Add Attachment | Secure Session Options 


Verify Secure Session 

Verify Recipient Identity 
Abort Secure Session 

The following window shows your and theirs identity fingerprint. You can for 
instance call them and check if the keys are correct. If you happen to be close 
together to set this up, TextSecure also allows you to use your Barcode 
scanner to check the keys. To start this, select compare and follow the 
instructions. If you are done verifying using any of the other methods, select 
"Verified!" and select OK In the next screen. A Save Identity popup appears, 
usually the name Is already filled in correctly and you can just push the "Ok" 
button twice to start your authenticated messaging. 


a ® A 1? O ^ Hll '^ '0 3:48 PM 

Verify Identity 



Their identit 

r. 01 





(They read) 






























Your identity 

•: 01 





(You read) 






























1 Verified 

! 1 Abort 1 Compa 

re 1 ( 

lancei H 


® A ^ O ^ Hll ^ H 4:09 PM 

You can see that this messaging has been verified because the locl< icons in 
the left corner and next to the messages are not red colored. These messages 
are encrypted and authenticated. 


ii Mart 





^^^ Me: Test 


^) Authenticity 

This session is verified to be 

H^^^^^B ni. 




^xchange message. 


■ ype to compose 1 




D © A ^ H ^ Sil S 'C3 4:12 PM 

™ Mart: Hello emile 

Sent: 3:39pm 

Sent key exchange message 

Sent: 3:41pm 

Received and processed key 

exchange message. 

Sent: 3:42pm 

F^ Me: Test2 
Sent: 4:12pm 


This is the right moment to look at the various configuration options that 
TextSecure comes with. Most of them are self-explanatory. Securitywise it 
might be a good idea to look at the setting for the Passphrase timeout 
interval, and set it to a lower value according to your situation. If the timeout 
interval expires, and you want to few your messages again, TextSecure will ask 
for your password. 




Sign Key Exchange 

Sign key exchange messages with 
Identity key 

Timeout passphrase 

Forget passphrase from memory after 
some interval 

Tinneout interval 

The amount of time to wait before 
forgetting passphrase from m'^n""' 

Identity Key Settings 

View My Identity Key 

Viewmy identity l(ey 

Export My Identity Key 

Export my identity l^ey 

Import Contact's Key 

Import an identity i<ey from a contact 

Manage Identity Keys 

Manage configured identity l^eys 

These are the basics of TextSecure. If you like the application we advice you to 
replace the messages application link on your phone's homescreen. This way 
you won't mix the TextSecure and normal Messages application 


Secure voice communication 

when calling another person with your mobile phone, your communication 
can be monitored on multiple places. Governments all over the world have 
regulations which allows tapping of phone lines, this includes mobile phones. 
If you think your phone is tapped and your need a secure phone 
communication, it is worth looking into voice encryption. 

There a vendors who offer mobile phones with voice encryption, but if you 
phone's hardware or firmware does not allow you to encrypt the normal 
voice calls, you can still use your data connection to send and receive 
encrypted voice data. The standard method for this is called the "SIP"- 
protocol. SIP is built-in in business Symbian-Phones and the N900 and 
available for Android Phones. SIP calls might be encrypted, but generally are 
not; this is a decision mostly of your SIP provider who has to support it. 

Currently there are two convenient solutions for secure calling (one of them 
only on Android Phones). Both use the data connection of your (smart) phone, 
which means that you either need to be connected to a WiFi network or have 
a payable and reliable 3G connection ready. 


Skype is a very well-known voice application. Skype uses encryption for the 
whole path of the voice communication. 

Although the encryption seems to be resonably good-"^ , Skype is not open 
about the technology they use for this. It's unknown if (some) governments 
have access to it or not. It seems to be safe for most countries and at least 
safer then using normal phone communication. 

Because of the popularity of Skype and the fact mobile phone operators are 
loosing call-minutes, unfortunately some operators are blocking the use of 

Depending on the phone you use, Skype might consume a lot of battery 
power. Keep this in mind when using Skype and are low on energy. 


RedPhone is an application available only on the Android platform. It 
establishes a voice connection by a mediation through the RedPhone vendor's 
servers, so the are able to log every call you make with the RedPhone 


RedPhone is very convenient to install on Android Phones. It's available from 
the Android Market. After installing it will use your normal phone contacts. It 
also has the ability to upgrade a phone call to an encrypted one while calling. 

The main advantage of RedPhone over Skype is the way how it's integrated in 
your normal phone behaviour and the way it setups communication. It does 
not use a lot of battery power in standby. A big disadvantage is it's sound 
quality, which is not so very good, another big disadvantages that really limits 
its use is that the software is only available for android. 
RedPhone needs a data-connection (WiFi or 3G) to operate. 

Other methods 

There are some other methods using VoIP encryption. Most of these 
application need a proper setup by a VOIP provider and are therefore not 
covered by this manual. Mostly VOIP connections are insecure if not explicitly 
stated otherwise. 

Skype uses variable bit encoding which might leak information about 
the phrases spoken. See explanation and alternative encryption at 


VPN on Android phones 

Setting up VPN with L2TP or PPTP is very simple in Android, although there 
are some ceaveats. Before starting, you need server and login information 
from your VPN provider. Normally you need at least these items: 

• username 

• password 

• vpn servername, eg. 


• pre-shared-key (PSK), this is general password. Most providers will use a 
certificate instead 

• typeof the VPN service, PPTP or L2TP/lpsec 

In this example we explain L2TP with a Pre-Shared-Key (PSK). This is one of the 
most complicated versions. All other configurations are less complicated. 

1. If you go to "" with a browser, you will see your 
current external IP address, and the location where this IP is registered. This is 
mostly not exactly on your current location, but often at least in the country 
where you are. In the example the IP is in Germany 


L Q 


Nehmen Sie den Zug 


what 15 My IP Address? [h^.-. 


le Dublic Internet i=- assigned a uiigje umbar kroAnas an Internet Pr-ou 
llf^! addr^zs. iP addr«£5«i cansia cf four numtKrs separated by pariads [also 'Called a dattad-qjad'l ai 
look SDmelhiinE like 127 .E.C.I. 



s be Lse 


EecajssthenLinbErsmay be ted ioLB to deal wiUi.^r IP addre» may also be assigned to a Host naniE 
urfiich IS SMrgtiniBS Easier to remember. Hoit names may tie laokgdjqlo find IP addiesses^^rduice- 
varsa. At one tiira ISPs Issued ore IP address to each Lser. These are callad static IP addresses . Qecaij 
thsreisa limited numberof IP addresses and with inixeassd jsage of llieintErnet ISPs row issue IP 

addresses In a dynamk fashion ojtcf a pDcl of IP addresses rtJslne PHQ>} . These are referred la as 
dvnami: IP addresses . This also limits the ability cf the user la hast vieb sites, mall servers, ftp servers. 
slina a single machine can act liks 




email in 

Public IP ConFusi an. . 

TbL Apr 28 31)11 0:^ 

Uv oersonaj email acLoi 

help me please ... 

Wed Apr 27 201115 

Wed Api 27 Mil 13 

help alaas.e 

Wed Apr 37 201113 

Wed Apr 27 201113 

w^-t i-,oi Tf^i- n 

2. To setup your VPN, open the android menu and choose 'Settings' 


News News and PDF Viewer Peep 

r *» 

Phone Places Quickoffice Relsplanner 

» -* 

Search Seesmic Settings Setup 


Shazam SIMTooii<it SimpieLast. Spanish 
fm Scrobb... Ciass Dem.. 

n # 

Stoci<s Tail< Teeter Terminai 

3. In the settings menu choose 'Wireless & networks' 



^. Personalize 

"5" Wireless & networks 

ESJ)) Sound 
n Display 

^__^ Accounts & sync 
(^ Location 

4. Scroll down a bit, here you will found a VPN settings option, choose this 


•^ .III ^' 20:34 

Wireless & networ 

furn on Bluetooth 

Bluetooth settings 

Manage connections, set device name & 

Portable Wi-Fi hotspot 

Turn on hotspot 

Portable Wi-Fi hotspot settings 

Manage security, users and LAN 

VPN settings 

Set up & manage Virtual Private Networks (VPNs) 

Mobile network 

Disconnected because data roaming is 

Mobile networks 

Set options for roaming, networks, APNs 

5. On the top you will be able to choose to add an VPN 


VPN setting!. 

Add VPN 

6. Next you need to choose the correct type of VPN. This is a vital step as VPN 
types are not interchangeable. Most common types are PPTP of L2TP/lpSsec. 
The L2TP/lpSec can be combined with a PSK or CRT option. The first is "Pre- 
Shared-Key", the option common in smaller company VPN networks. The 
other options is used with some large networks. In this example we will use 
the "L2TP/IPSec PSK VPN", choose this option 


•^ .III ^' 20:34 


Point-to-Point Tunneling Protocol 


Layer 2 Tunneling Protocol 


Pre-shared key based L2TP/IPSec VPN 


Certificate based L2TP/IPSec VPN 

7. Next is setting up the parameters foryour network. Choose 'VPN name' to 
setup a name for this connection 


.■ill ^i 20:35 


VPN name 

VPN name not set 

Set VPN server 

VPN server not set 

Set IPSec pre-shared key A 

IPSec pre-shared key not set 

Enable L2TP secret — 

L2TP secret is disabled 

Set L2TP secret 

2TP secret not set 

DNS search domains 

DNS search domains not set 

8. Type a name for your connection. This can be whatever you like to identify 
this connection with. Confirm with OK. 


A ^ O "^ -"^il 20:35 


VpM namo A 

VPN name 

:>fc ^ 


i/pn to my provider 


T .1* 

1 OK n Cancel F 

bnaoie L^ IK secret h 

L2TP secret is disabled ^* 

41 1 1 III iH 

















r r 

BB' Done 

9. Next choose "VPN Server", and fill in the server name. This name is 
provided when your received your connection and login information. We use 
the tunnel server of Greenhost in this example "". Once 
again confirm with "OK" 


(w) Set VPN server 



I I I I III 111 


T ''j 

■''- r 





r \r 




J% SYM 1 


1 I^^Q 

10. Next is the pre-shared-key. If you use a certificated based connection, this 
option does not exists. You should have received your pre-shared key from 
your VPN provider 


11. The rest of the options are normally not used. Hit the menu & save button 
of your phone to confirm the settings. 


A-t? n '<^ .'ill ^^ 20:38 


VPN name 

Vpn to my provider 

Set VPN server 

Set IPSec pre-shared key A 

IPSec pre-shared key is set 

Enable L2TP secret 

L2TP secret is disabled 

Set L2TP secret 

2TP secret not set 

DNS search domains 

DNS search domains not set 




12. After saving you will return to the VPN overview. Now just click on the 
newly created connection. 


13. The system will ask for your credentials, type them as you received them 
from your provider. 


.■Til iS 20:38 

'N settings 

Add VPN 

0Connectto Vpnto my 

14. We use Bill and a password In our example. Press 'Connect' to connect. 


15. If everything goes smoothly, you will get a "connected" status after a few 
seconds. Notice also the new "key" icon in the top bar Here you will see if 
your VPN connection is active. 


VPN settings 

Add VPN 

16. Now, lets return to Yeah, we moved, we are 
located In the Netherlands now. Wow! That's fast travelling ;) 




Nieuw: ^ 

id,«s sim'uo 

what Is My IP Address? [n™ d^i^cte ma 

IPInformatiDn: 195.190.2S.22 

Oig^riiation: Eamagavol 
ConrEtlion. Brnadbarid 
Praxy: Hone Date:lEd 

Cojntry Hatheilands a 

I19&.190.38.2; I AddilicnBl IP betailsl 


What li! an IP addr»s? 

IIPl addreE^s. IP addreE^seE^ cariEiE^t cl four numters sep^ratEd by pariods 
look SD-mflhing like 127.E1.E1.1. 

EmcE ItiaEB numters are usually assigned tc intErriBt seririie providers w 
addrf!!; car after be LSEd ta IdEntify rhe rEgmn cr raLrrrv fram which a 
Irterret. An IP address- can scmetimes b« L5«d Ec shDvi tl>a jser's sefiar. 

versB. At one time ISP5 lauEd ore IP address to ea* Lser. These arp called sMl 
tharei^ a limhed njirberoMP addr«»5ard urithi iniT«isad usage of (heintErn 
Bddresses ma dynamic fasliiariajt of Bppcl of IP addresses flJsing PHHJ'X Thes 

dynarni: IP addresses . Tiii alao limiBthe ability of the jser M host web siEes, mi 

mjidpla machines (with multiple dcmair names and IP addra?s«?l. 
Recent Forurn Discussions 



PubUcIPIIonfusian. . 

ThL Apr 2E 3011 0:^ 

is blackliitad 

hi\D me niease ... 

Wed Afr 27 201115 

help pleeie 

Wed Acr 37 201113 

Warning: Losing connectivity 

when you lose connectivity your VPN will get disconnected automatically. If 
you have internet connectivity again, your VPN connection will not be 
enabled automatically. This means you internet connection is unsafe and you 
will have to reactivate the VPN manually. 

It's currently not possible to force the VPN and disallow normal traffic if now 
VPN is active. 


Email security on Android 

With the growing usage of mobile phones for e-mail, it's interesting to be able 
to use PC P also on your mobile. This way your can still read the messages 
send to you in PGP on your phone and not only on your computer. 

PGP on Android: APG 

PGP on mobile phones is very new - currently there are not many tools 
available for Android phones to use PGP. Its a pity there are not more options 
and easier softwares to configure and install, however if you do set it up then 
the same rules apply for using PGP on Android as normal PGP usage as 
described in the PGP/Secure emailing chapter. 

For Android you need at least the APG application. This is a small tool which 
makes PGP encryption possible on the phone. You can use APG to manage 
your private and public. The options in the application are quite 
straightforward if you are a little convenient with PGP in general. 

Management of keys is not very well implement yet. The best way is to 
manually copy all your public keys to the SD card in the APG folder. Then it's 
easy to import your keys. After you've imported your public and private keys, 
PGP encrypting, signing and decrypting will be available for other applications 
as long as these applications have integrated encryption/PGP. 

PGP enabled e-mail on Android: K-9 Mail 

The default mail application does not support PGP. Luckily there is an 
excellent alternative: K-9 Ivlail. This application is based on the original 
Android mail application but with some improvements. The application can 
use APG as it's PGP provider. Setting up K-9 Mail is straightforward and similar 
to setting up mail in the Android Default mail application. In the settings 
menu there is an option to enable "Cryptography" for PGP mail signing. 

If you want to access your PGP mails on your phone this application is a must 

Please note, due some small bugs in K-9 Mail and/or APG, it's very advisable to 
disable HTML mail and only Plain text. As HTML mails are not encrypted nicely 
and are often not readable. 





Suggestion: let's go through these questions when we are 
finished, to see which ones we address in the manual so 
we can refer to chapters, and which we can answer by 
referring to others. 


1 How to assess the risks of online communication, and how to counter 

This is a good question. This is always a factor between social and technological 
factors. Read the introduction/explanation about the manual, make an 
estimation of the risks and choose between basic or more complex safety 
measures. If you are experiencing suspicious behaviour in your computer at 
suspicious times, (pop-ups, loads of traffic when you are not even browsing, fans 
that are always on because you're processor is working very hard all the time etc.) 
please have a good look into your stuff and take appropriate action. 

2 How to keep updated about safety risks online? 

The Electronic Frontier Foundation (EFF, and European 
Digital Rights ( keep you updated about online defence 
strategies and of course we hopeyou and others will update this book frequently 

3 What can others find out about me online? 
Depends on what traces you leave. 

(a) in public for normal users: This is very simple, just type in your 
names and aliases in google. 

(b) semi-public for the technologically educated: Not all pages are 
indexed in Coogle. Have a good look into your social networks. Also 
remember entering your private data into some websites is sometimes 
stored in places whereyou cannot find this. 

(c) non-public for sophisticated intelligence services: This is 
difficult to know. Remember phone lines and internet connections can 
be tapped by government institutions, especially when you are not 
using security measures, which can be found in this book in the 
chapter about securing your connection or using TOR. 


4 Which data can companies give to governments or other parties? 

Basically all data you give them, although in some countries there some legals 
limitations to what they are allowed to give. Most companies only care about 
their profit and not about your privacy. Or, like Mark Zuckerberg from Facebook 
said: "Privacy is so 1984". 

The Electronic Frontier Foundation (EFF) has a section on the legal rules 
(https://ssd.eff.0rg/3rdparties) that govern when and how law enforcement 
agents can obtain this kind of information stored by and with third parties, but 
this is focussed on the US. Check with your local Digital Rights Croup (like Bits of 
Freedom in the Netherlands) for details about the country you are residing. 

Social Media 

5 How long does my Facebook profile stay online? Does Facebook keep my 
data forever? 

Facebook makes money with your private data. Although you are never sure, the 
chances are very big Facebook will keep your data forever To be sure, ask Mark 
Zuckerberg, but don't expect a truthful answer 

There are several websites on 'how to delete my Facebook account', but Facebook 
also regularly changes its settings. Possible sources: php?gid=l6929680703 or Maximizing privacy on 

You can prevent interaction with Facebook from other Web sites by installing Ad- 
ons to Firefox. Check theAd-on database of Firefox to look for this. 

6 What are the do's and don'ts with Social Media? 

do's: keep away from them. 

don't: create an account. 




7 Can we use local SIM cards and if so, how? 

Yes, you can use them, but please remember, in most countries your are required 
to give a copy of your ID. There is always a connection between your SIM card and 
the Telephone network. If you think you are under direct threat, please keep a 
close attention about what you do with your identity regarding phone networks. 
Even when your are not calling, but your phone is online, the network can track 
the location of your phone (and you). Also have a look on de IMEI chapter 

8 How to safely use smart phones, in my own country and during travels? 

If you are not brave enough to throw your iPhone or Blackberry away, make sure 
you have read the chapter on how to secure them through at least a VPN. A 
better option is to buy an Android, that allow better encryptions. 

Email .^ 

9 How to safely use webmail? (Hotmail, gmail etc.) 

Safe webmail = safe provider + safe technology + safe connection + nobody looking 
over your shoulder 

It also depends on who you are, who is threatening you, the country of your 
webmail provider, where is the data resides and how your provider relates to 
others (commercially or politically). If you use Cmail, you don't always know 
where the server is, but the (business) customers can choose to take a server in 
the US 

Generally, you might consider to use Thunderbird, which is much safer than 

10 What is mail encryption and how to do it? PC P? 


Depends what you want to encrypt. There is a difference between securely 
connecting to your mail and actually encrypting the mail data. POP stand for 
Pretty good Privacy and does indeed a pretty good job at keeping your data secure 
on your computer and while being send through the net. 

11 How to send or receive e-mails without giving away my location? 

This can be done by using Tor or a VPN. Tor is the most secure way, but is slower 
then a VPN solution. Be aware however that both solutions come with some small 
security issues. Please read the chapters about these issues. 

12 How are passwords for webmail, external websites and CMS systems 

This really depends. There are many risks if you do not connect safely to your e- 
mail and internet in general. Many people 'loose' their password by giving it away 
voluntarily because they are subject to social engineering; i.e.. they are made 
believe they are communicating with a trustworthy source (a friend in a chat) 
while actually it is a crook. It is difficult to protect yourself against this, but a 

More information about other threats and risks can be found in the chapters 
VPN, Setting up email and HTTPS- Everywhere. Also it is important to use safe 
passwords. Please have a close look to password security. 

13 What to do with e-mails that seem to be coming from you 'know' but look 

The sender's address can be easily forged. Reply to the mail asking confirmation, or 
if you suspect that the mailbox of the sender was actually hacked; call the owner 
of the mailbox and warn her And check our chapter on safe e-mail about how to 
sign e-mails. 

Personal safety and privacy: 


15 We are activists that work in an undemocratic country. Do we need to take 
our pictures offline? 

V^hat do you think yourself? Everything on social networking sites, for instance 
Facebook, is online and will remain available to Facebook and possibly also to 
others. So if you fear that your friendship with Iranian bloggers will endanger 
their future, unfriend them and takeyour Facebook account offline. Hopefully the 
data get's deleted at some point soon by the corporation running the social media 
network you were using... 


There is currently no safe way of using Social Media. Period. 

16 My private and business communication seem to become fused. 

Start seeing your online profile as something you need to "manage". Just asyou 
take care of how you look when going outside on the streets, make sureyour 
online self appears the way you want it for the appropriated public. 

17 How to delete online information about myself? 

Dependson what kind of information. Is your concern your profile on social 
networking sites? See our answers under Social Media'. Don 'tyou like the way 
you appear in the Coogle search results? That is really beyond the scope of our 
possibilities. Ask Coogle. 

Internet while travelling 

19 Can I use wireless internet in bars? 

You can only if you do it with care. Read our chapter on using VPN and secure 

20 What are the dangers of internet cafe's? 

We have a special chapter on internet cafes. 

It is possible to install Firefox on a CD-ROM or USB-drive. This will also enableyou 
to bring you're own bookmarks, setting, add-ons etc. etc. and it will limit the 
amount of data and tracesyou'll leave on the computer your using. So it could 
prove to be exceptionally useful when you have to use untrusted computers or 
internet cafes. 

It is also recommended to read the chapter on safe browsing. 

21 How to secure my laptop when travelling? 

It depends: install the right passwords, encrypt your mail on securing your 

22 How safe is Skype? 


Skype is safer than using a mobile phone, but we don't know exactly the specifics 
because Skype uses a closed protocol. From time to time intelligent services 
complain about their inability to listen in on Skype. Them being so open about this 
could also been seen as an way to lure people into using Skype because they 
secretly do have access to it. Bottem line; we think it is safe, but we have no way 
of knowing for sure. 

23 What are alternatives for e-mail when travelling? 

Depends on the form of data you want to send and which other possibilities are 
open to you. End to end encryption is always the safest option be it VPN, a tunnel 
or encrypted SMS. Make sure that if you know on forehand you won;t be able to 
use email that other trustworthy options are open so that you are not tempted to 
use an insecure connection. 

24 What is a proxy and what to do with it? 
Read the chapter on proxies. 

25 Should we avoid public proxies? 

There are very good open and public proxies. But you should always know who 
owns and operates it and decide for yourself if you trust these people. 

Sharing information versus security 

26 I work in a dangerous country but I need to get my message through. What 
to do? 

As all are questions hopefully make clear: it is always a trade off. Read this book, 
know the dangers and the possibilities, talk about it with professionals and then 
make a risk assessment. 


How the Net Works 

This chapter is included should you wish to understand a 
little more about how the internet works. 

Imagine a group of individuals who decide to share information on their 
computers by connecting them, and by sending information between these 
computers. Their efforts result in a set of devices able to communicate with 
each other via a computer network. Of course, the network can be even more 
valuable and useful if it is connected to other networks and hence to other 
computers and network users. This simple desire to connect and share 
information electronically is manifested today in the global Internet. As the 
Internet has grown rapidly, the complexity of its interconnections has also 
increased, and the Internet is literally built up from the interconnection of a 
tremendous number of networks. 

The fundamental task of the Internet can be described as facilitating the 
journey of digital information from its origin to its destination, using a 
suitable path and an appropriate mode of transportation. 

Local computer networks, called Local Area Networks, or LANs, physically 
connect a number of computers and other devices at the same physical 
location to one another. They can also connect to other networks via devices 
called routers that manage the information flow between networks. 
Computers in a LAN can communicate with each other directly for purposes 
like sharing files and printers, or playing multi-player networked video games. 
A LAN could be useful even if it were not connected to the outside world, but 
it clearly becomes more useful when it is. 


The Internet today is a decentralized world-wide network of such local 
computer networks, as well as larger networks such as university and 
corporate networks, and the networks of hosting providers. 

The organizations that arrange these interconnections between networks are 
called Internet Service Providers or ISPs. An ISP's responsibility is to deliver 
data to the appropriate place, usually by forwarding the data to another 
router (called "the next hop") closer to the data's final destination. Often, the 
next hop actually belongs to a different ISP. 

In order to do this, the ISP may purchase its own Internet access from a 
larger ISP, such as a national provider. (Some countries have only a single 
national-level provider, perhaps government-operated or government- 
affiliated, while others have several, which might be competing private 
telecommunications firms.) National providers may similarly receive their 
connections from one of the multinational companies that maintain and 
operate the servers and connections that are often mentioned as 
the backbone of the Internet. 

The backbone is made up of major network equipment installations and 
global connections between them via fiber-optic cables and satellites. These 
connections enable communications between Internet users in different 
countries and continents. National and international providers connect to 
this backbone through routers sometimes known as gateways, which are 
connections that allow disparate networks to communicate with each other. 
These gateways, just like other routers, may be a point at which Internet 
traffic is monitored or controlled. 

Building the Internet 

The originators of the Internet generally believed that there is only one 
Internet, that it is global, and that it should allow any two computers 
anywhere in the world to communicate directly with one another, assuming 
the owners of both computers want this to happen. 

In a 1996 memo, Brian Carpenter, then chairman of the Internet Architecture 
Board, wrote: 

in very general terms, the [Internet engineering] community 
believes that the goal is connectivity . . . [the] growth of the 
network seems to show that connectivity is its own reward, and 
is more valuable than any individual application. 



The originators of the Internet created and continue to create standards 
aimed to make it easier for others to also create their own networks, and to 
join them to each other. Understanding Internet standards helps make clear 
how the Internet works and how network sites and services become 
accessible or inaccessible. 

The most basic standard that unites all of the devices on the global Internet is 
called the Internet Protocol (IP). 

Standards for identifying devices on the network 

when your computer connects to the Internet, it is normally assigned a 
numeric IP address. Like a postal address, the IP address uniquely identifies a 
single computer on the Internet. Unlike the postal address, however, an IP 
address (particularly for a personal computing device) is not necessarily 
permanently associated with a specific computer. So, when your computer 
disconnects from the Internet and reconnects at a later time, it may receive a 
different (unique) IP address. The IP protocol version currently in 
predominant use is IPv4. In the IPv4 protocol, an IP address is written as four 
numbers in the range 0-255, separated by dots (e.g. 207. 123. 209.9). 

Domain names and IP addresses 

All Internet servers, such as those which host Web sites, also have IP 
addresses. For example, the IP address 
is Since remembering IP addresses is cumbersome and IP 
addresses might change over time, specific systems are in place to make it 
easier foryou to reach your destination on the Internet. This system is the 
Domain Name System (DNS), where a set of computers are dedicated to 
servingyour computer with the IP addresses associated with the human- 
memorable "names". 

For example, to access the Free Press Unlimited website you would type in 
the address, also known as a domain name, 
instead of Your computer then sends a message with this name 
to a DNS server. After the DNS server translates the domain name into an IP 
address, it shares that information with your computer. This system makes 
Web browsing and other Internet applications more human-friendly for 
humans, and computer-friendly for computers. 



Mathematically speaking, IPv4 allows for a pool of about 

4.2 billion different computers to be connected to the 

Internet. There is also technology that lets multiple 

computers share a single IP address. Despite this, the pool 

of available addresses was more or less exhausted at the 

beginning of 2011. As a result, the IPv6 protocol has been 

devised, with a much larger repository of possible unique 

addresses. IPv6 addresses are much longer, and even 

harder to remember, than traditional IPv4 addresses. An example of an IPv6 

address is: 


Although as of 2011 less than 1% of the Internet uses the IPv6 protocol, this 
will probably change dramatically in the near future. 

Protocols for sending information through the network 

The information you exchange as you use the Internet could take many forms: 

• an e-mail to your embassy 

• a picture or video of an event 

• a database of contact information 

• a file containing a set of instructions 

• a document containing a report on a sensitive topic 

• a computer program that teaches a skill. 

There is a wide variety of Internet software to accommodate proper handling 
of the various forms of information according to specific protocols, such as: 

• e-mail via Simple Mail Transport Protocol (SMTP) 

• instant messaging via Extensible Messaging and Presence Protocol 

• file sharing via File Transfer Protocol (FTP), 


peer-to-peer file sharing via BitTorrent protocol 

Usenet news via Network News Transfer Protocol (NNTP) 

a combination of protocols: voice communication using Voice Over 
Internet Protocol (VoIP), Session Initiation Protocol (SIP) and Real-time 
Transport Protocol (RTP) 

The Web 

Although many people use the terms "the Internet" and "the V^eb" 
interchangeably, actually the Web refers to just one way of communicating 
using the Internet. When you access the Web, you do so using software called 
a Web browser, such as Mozilla Firefox, Google Chrome, Opera, or Microsoft 
Internet Explorer. The protocol that the Web operates on is called the Hyper- 
Text Transfer Protocol or HTTP. You might also have heard of HTTPS, which is 
the secure version of HTTP that uses Transport Layer Security (TLS) encryption 
to protect your communications. 

Following your information on the Internet - the journey 

Let's follow the example of visiting a Web site from your home computer. 

Browse to the Web site 

1. You type in The computer sends the 
domain name "" to a selected DNS server, which 
returns a message containing the IP address for the Free Press 
Unlimited server (currently, 

2. The browser then sends a request for a connection to that IP address. 

3. The request goes through a series of routers, each one forwarding a 
copy of the request to a router closer to the destination, until it reaches 
a router that finds the specific computer needed. 

4. This computer sends information back to you, allowing your browser to 
send the full U RL and receive the data to display the page. 

The message from the Web site to you travels through other devices 
(computers or routers). Each such device along a path can be referred to as a 
"hop"; the number of hops is the number of computers or routers your 
message comes in contact with along its way and is often between 5 and 30. 


Why This Matters 

Normally all of these complex processes are hidden and you don't need to 
understand them In order to find the information you need. However, when 
people or organizations attempting to limit your access to information 
interfere with the operation of the system, your ability to use the Internet 
may be restricted. In that case, understandingjust what they have done to 
interfere with your access can become extremely relevant. 

Consider firewalls, which are devices that intentionally prevent certain kinds 
of communication between one computer and another Firewalls help a 
network owner enforce policies about what kinds of communication and use 
of a network are allowed. Initially, the use of firewalls was conceived as a 
computer security measure, because they can help repel electronic attacks 
against inadvertently misconfigured and vulnerable computers. But firewalls 
have come to be used for a much wider range of purposes and for enforcing 
policies far beyond the purview of computer security, including content 

Another example is DNS servers, which were described as helping provide IP 
addresses corresponding to requested domain names. However, in some 
cases, these servers can be used as censoring mechanisms by preventing the 
proper IP address from being returned, and effectively blocking access to the 
requested information from that domain. 


Censorship can occur at different points in the Internet infrastructure, 
covering whole networks, domains or subdomains, individual protocols, or 
specific content identified by filtering software. The best method to avoid 
censorship will depend on the specific censorship technique used. 
Understanding these differences will help you to choose appropriate 
measures for you to use the Internet effectively and safely. 

Ports and Protocols 

In order to share data and resources, computers need to agree on 
conventions about how to format and communicate information. These 
conventions, which we call protocols, are sometimes compared to the 
grammar of human languages. The Internet is based on a series of such 

The layered networking model 

Internet protocols rely on other protocols. For example, when you use a Web 
browser to access a Web site, the browser relies on the HTTP or HTTPS 
protocol to communicate with the Web server. This communication, in turn, 
relies on other protocols. Suppose we are using HTTPS for a particular Web 
site to ensure that we access it securely. 

In the above example, the HTTPS protocol relies on the TLS protocol to 
perform encryption of the communications so that they are private and 
unmodified as they travel across the network. The TLS protocol, in turn, relies 
on the TCP protocol to ensure that information is not accidentally lost or 
corrupted in transmission. Finally, TCP relies on the IP protocol to ensure that 
data is delivered to the intended destination. 


while using the encrypted HTTPS protocol, your computer still uses the 
unencrypted DNS protocol for retrieving an IP address for the domain name. 
The DNS protocol uses the UDPprotocol to mark the request for proper 
routing to a DNS server, and UDP relies on IP for actual transmission of data 
to the intended destination. 

Because of this hierarchical protocol relationship, we often refer to network 
protocols as existing in a set of layers. A protocol at each layer is responsible 
for a particular aspect of the communications functionality. 

wnat is the difference between HTTP and HTTPS? Meet Sacna and Jrfin; 

Saoha uses HTTP 
to browse the web 
His data isEil 
protected end to 
end and can be 
recorded and 
accesed any- 
where between 
his coiTiputer 
and the web. 


Jotin uses HTTPS to 

browse the web 

His data is protected 

end to end and can 

also be recorded 

tjyf appears as 

garble to any 


between his 

computer and 

the web. 


Using Ports 

Computers connect to each other via the TCP protocol mentioned above and 
stay connected for a period of time to allow higher-level protocols to carry 
out their tasks. TCP uses a concept of numbered ports to manage these 
connections and distinguish connections from one another The use of 
numbered ports also allows the computer to decide which particular 
software should handle a specific request or piece of data. (UDP also uses 
port numbers for this purpose.) 

The lANA (Internet Assigned Names Authority) assigns port numbers for 
various higher-level protocols used by application services. A few common 
examples of the standard assigned port numbers are: 

• 20 and 21 - FTP (file transfer) 

• 22 - SSH (secure shell remote access) 

• 23 - Telnet (insecure remote access) 

• 25 -SMTP (send e-mail) 

• 53 - DNS (resolves a computer's name to an IP address) 

• 80 - HTTP (normal Web browsing; also sometimes used for a proxy) 


• 110 - P0P3 (receive e-mail) 

• 143 - 1 MAP (send/receive e-mail) 

• 443 - HTTPS (secure Web connections) 

• 993 - secure IMAP 

• 995 -secure POP3 

• 1080 - SOCKS proxy 

• 1194 - OpenVPN 

• 3128 - Squid proxy 

• 8080 - Standard HTTP-style proxy 

Using these particular numbers is not generally a technical requirement of the 
protocols; in fact, any sort of data could be sent over any port (and using non 
standard ports can be a useful circumvention technique). However, these 
assignments are used by default, for convenience. For example, your Web 
browser knows that if you access a Web site without specifying any port 
number, it should automatically try using port 80. Other kinds of software 
have similar defaults so that you can normally use Internet services without 
knowing or remembering the port numbers associated with the services you 



Much of this content is based on http://en.cship.0rg/wiki/Special:Allpages 


An aggregator is a service that gathers syndicated information from one or 
many sites and makes it available at a different address. Sometimes called an 
RSS aggregator, a feed aggregator, a feed reader, or a new^s reader (Not to be 
confused with a Usenet News reader) 


(Not be confused with privacy, pseudonymity, security, or confidentiality.) 

Anonymity on the Internet is the ability to use services without leaving clues 
to one's identity. The level of protection depends on the anonymity 
techniques used and the extent of monitoring. The strongest techniques in 
use to protect anonymity involve creating a chain of communication using a 
random process to select some of the links, in which each link has access to 
only partial information about the process. The first knows the user's IP 
address but not the content, destination, or purpose of the communication, 
because the message contents and destination information are encrypted. 
The last knows the identity of the site being contacted, but not the source of 
the session. One or more steps in between prevents the first and last links 
from sharing their partial knowledge in order to connect the user and the 
target site. 

anonymous remailer 

An anonymous remailer is a service that accepts e-mail messages containing 
instructions for delivery, and sends them out without revealing their sources. 
Since the remailer has access to the user's address, the content of the 
message, and the destination of the message, remailers should be used as 
part of a chain of multiple remailers so that no one remailer knows all this 

ASP (application service provider) 

An ASP is an organization that offers software services over the internet, 
allowing the software to be upgraded and maintained centrally. 



A backbone is one of the high-bandwidth communications links that tie 
together networks in different countries and organizations around the world 
to form the Internet. 

See malware. 


The bandwidth of a connection is the maximum rate of data transfer on that 
connection, limited by its capacity and the capabilities of the computers at 
both ends of the connection. 

bash (Bourne-again shell) 

The bash shell is a command-line interface for Linux/Unix operating systems, 
based on the Bourne shell. 


BitTorrent is a peer-to-peer file-sharing protocol invented by Bram Cohen in 
2001. It allows individuals to cheaply and effectively distribute large files, such 
as CD images, video, or music files. 


A blacklist is a list of forbidden persons or things. In Internet censorship, lists 
of forbidden Web sites may be used as blacklists; censorware may allow 
access to all sites except for those specifically listed on its blacklist. An 
alternative to a blacklist is a whitelist, or a list of permitted things. A whitelist 
system blocks access to all sites except for those specifically listed on the 
whitelist. This is a less common approach to Internet censorship. It is possible 
to combine both approaches, using string matching or other conditional 
techniques on URLs that do not match either list. 


The blue URL bar (called the Bluebar in Psiphon lingo) is the form at the top of 
your Psiphon node browser window, which allows you to access blocked site 
by typing its URL inside. 

See also Psiphon node 



To block is to prevent access to an Internet resource, using any number of 


A bookmark is a placeholder within software that contains a reference to an 
external resource. In a browser, a bookmark is a reference to a Web page - by 
choosing the bookmark you can quickly load the Web site without needing to 
type in the full URL. 


See Tor bridge. 

brute-force attack 

A brute force attack consists of trying every possible code, combination, or 
password until you find the right one. These are some of the most trivial 
hacking attacks. 


A cache is a part of an information-processing system used to store recently 
used or frequently used data to speed up repeated access to it. A Web cache 
holds copies of Web page files. 


To censor is to prevent publication or retrieval of information, or take action, 
legal or otherwise, against publishers and readers. 


Censorware is software used to filter or block access to the Internet. This 
term is most often used to refer to Internet filtering or blocking software 
installed on the client machine (the PC which is used to access the Internet). 
Most such client-side censorware is used for parental control purposes. 

Sometimes the term censorware is also used to refer to software used for the 
same purpose installed on a network server or router. 


CGI (Common Gateway Interface) 

CGI is a common standard used to let programs on a Web server run as Web 
applications. Many Web-based proxies use CGI and thus are also called "CGI 
proxies". (One popular CGI proxy application written by James Marshall using 
the Perl programming language is called CGIProxy.) 


chat, also called instant messaging, is a common method of communication 
among two or more people in which each line typed by a participant in a 
session is echoed to all of the others. There are numerous chat protocols, 
including those created by specific companies (AOL, Yahool, Microsoft, 
Google, and others) and publicly defined protocols. Some chat client software 
uses only one of these protocols, while others use a range of popular 


Circumvention is publishing or accessing content in spite of attempts at 

Common Gateway Interface 

See CGI. 

command-line interface 

A method of controlling the execution of software using commands entered 
on a keyboard, such as a U nix shell or the Windows command line. 


A cookie is a text string sent by a Web server to the user's browser to store on 
the user's computer, containing information needed to maintain continuity in 
sessions across multiple Web pages, or across multiple sessions. Some Web 
sites cannot be used without accepting and storing a cookie. Some people 
consider this an invasion of privacy or a security risk. 

country code top-level domain (ccTLD) 

Each country has a two-letter country code, and a TLD (top-level domain) 
based on it, such as .ca for Canada; this domain is called a country code top- 
level domain. Each such ccTLD has a DNS server that lists all second-level 
domains within the TLD. The Internet root servers point to all TLDs, and cache 
frequently-used information on lower-level domains. 


DARPA (Defense Advanced Projects Research Agency) 

DARPA is the successor to ARPA, which funded the Internet and its 
predecessor, the ARPAnet. 


Decryption is recovering plain text or other messages from encrypted data 
with the use of a key. 

See also encryption, 

A domain can be a Top-Level Domain (TLD) or secondary domain on the 

See also Top-Level Domain, country code Top-Level Domain and secondary 

DNS (Domain Name System) 

The Domain Name System (DNS) converts domain names, made up of easy- 
to-remember combinations of letters, to IP addresses, which are hard-to- 
remember strings of numbers. Every computer on the Internet has a unique 
address (a little bit like an area code+telephone number). 

DNS leak 

A DNS leak occurs when a computer configured to use a proxy for its Internet 
connection nonetheless makes DNS queries without using the proxy, thus 
exposing the user's attempts to connect with blocked sites. Some V\/eh 
browsers have configuration options to force the use of the proxy. 

DNS server 

A DNS server, or name server, is a server that provides the look-up function of 
the Domain Name System. It does this either by accessing an existing cached 
record of the IP address of a specific domain, or by sending a request for 
information to another name server. 

DNS tunnel 

A DNS tunnel is a way to tunnel almost everything over DNS/Nameservers. 


Because you "abuse" the DNS system for an unintended purpose, it only 
allows a very slow connection of about 3 kb/s which is even less than the 
speed of an analog modem. That is not enough forYouTube or file sharing, 
but should be sufficient for instant messengers like ICQ or MSN Messenger 
and also for plain text e-mail. 

On the connection you want to use a DNS tunnel, you only need port 53 to be 
open; therefore it even works on many commercial Wi-Fi providers without 
the need to pay. 

The main problem is that there are no public modified nameservers that you 
can use. You have to set up your own. You need a server with a permanent 
connection to the Internet running Linux. There you can install the free 
software OzymanDNS and in combination with SSH and a proxy like Squid 
you can use the tunnel. More Information on this on 


Eavesdropping is listening to voice traffic or reading or filtering data traffic on 
a telephone line or digital data connection, usually to detect or prevent illegal 
or unwanted activities or to control or monitor what people are talking 


E-mail, short for electronic mail, is a method to send and receive messages 
over the Internet. It is possible to use a Web mail service or to send e-mails 
with the SMTP protocol and receive them with the POP3 protocol by using an 
e-mail client such as Outlook Express orThunderbird. It is comparatively rare 
for a government to block e-mail, but e-mail surveillance is common. If e-mail 
is not encrypted, it could be read easily by a network operator or 

embedded script 

An embedded script is a piece of software code. 


Encryption is any method for recoding and scrambling data or transforming it 
mathematically to make it unreadable to a third party who doesn't know the 
secret key to decrypt it. It is possible to encrypt data on your local hard drive 
using software like TrueCrypt ( or to encrypt 
Internet traffic with SSL or SSH. 

See also decryption. 


exit node 

An exit node is a Tor node that forwards data outside tine Tor network. 

See also middleman node, 
file sharing 

File sharing refers to any computer system where multiple people can use the 
same information, but often refers to making music, films or other materials 
available to others free of charge over the Internet. 

file spreading engine 

A file spreading engine is a Web site a publisher can use to get around 
censorship. A user only has to upload a file to publish once and the file 
spreading engine uploads that file to some set of sharehosting services (like 
Rapidshare or Megaupload). 


To filter is to search in various ways for specific data patterns to block or 
permit communications. 


Firefox is the most popular free and open source Web browser, developed by 
the Mozilla Foundation. 


On a Web site, a forum is a place for discussion, where users can post 
messages and comment on previously posted messages. It is distinguished 
from a mailing list or a Usenet newsgroup by the persistence of the pages 
containing the message threads. Newsgroup and mailing list archives, in 
contrast, typically display messages one per page, with navigation pages 
listing only the headers of the messages in a thread. 


A frame is a portion of a Web page with its own separate URL. For example, 
frames are frequently used to place a static menu next to a scrolling text 


FTP (File Transfer Protocol) 

The FTP protocol is used for file transfers. Many people use it mostly for 
downloads; it can also be used to upload Web pages and scripts to some Web 
servers. It normally uses ports 20 and 21, which are sometimes blocked. Some 
FTP servers listen to an uncommon port, which can evade port-based 

A popular free and open source FTP client for Windows and Mac OS is 
FileZilla. There are also some Web-based FTP clients that you can use with a 
normal Web browser like Firefox. 


A gateway is a node connecting two networks on the Internet. An important 
example is a national gateway that requires all incoming or outgoing traffic to 
go through it. 


A honeypot is a site that pretends to offer a service in order to entice 
potential users to use it, and to capture information about them or their 


A hop is a link in a chain of packet transfers from one computer to another, or 
any computer along the route. The number of hops between computers can 
give a rough measure of the delay (latency) in communications between 
them. Each individual hop is also an entity that has the ability to eavesdrop 
on, block, or tamper with communications. 

HTTP (Hypertext Transfer Protocol) 

HTTP is the fundamental protocol of the World Wide Web, providing methods 
for requesting and serving Web pages, querying and generating answers to 
queries, and accessing a wide range of services. 

HTTPS (Secure HTTP) 

Secure HTTP is a protocol for secure communication using encrypted HTTP 
messages. Messages between client and server are encrypted in both 
directions, using keys generated when the connection is requested and 
exchanged securely. Source and destination IP addresses are in the headers of 
every packet, so HTTPS cannot hide the fact of the communication, just the 
contents of the data transmitted and received. 


lANA (Internet Assigned Numbers Authority) 

lANA is the organization responsible for technical work in managing the 
infrastructure of the Internet, including assigning blocks of IP addresses for 
top-level domains and licensing domain registrars for ccTLDs and for the 
generic TLDs, running the root name servers of the Internet, and other duties. 

ICANN (Internet Corporation for Assigned Names and 

ICANN is a corporation created by the US Department of Commerce to 
manage the highest levels of the Internet. Its technical work is performed by 

Instant Messaging (IM) 

Instant messaging is either certain proprietary forms of chat using proprietary 
protocols, or chat in general. Common instant messaging clients include MSN 
Messenger, ICQ, AIM or Yahoo! Messenger. 


See man in the middle. 


The Internet is a network of networks interconnected using TCP/IP and other 
communication protocols. 

IP (Internet Protocol) Address 

An IP address is a number identifying a particular computer on the Internet. 
In the previous version 4 of the Internet Protocol an IP address consisted of 
four bytes (32 bits), often represented as four integers in the range 0-255 
separated by dots, such as In IPv6, which the Net is currently 
switching to, an IP address is four times longer, and consists of 16 bytes (128 
bits). It can be written as 8 groups of 4 hex digits separated by colons, such as 
2001 : 0db8 : 85a3 : 0000 : 0000 : 8a2e : 0370 : 7334 . 

IRC (Internet relay chat) 

IRC is a more than 20-year-old Internet protocol used for real-time text 
conversations (chat or instant messaging). There exist several IRC networks ■ 
the largest have more than 50 000 users. 


ISP (Internet Service Provider) 

An ISP (Internet service provider) is a business or organization that provides 
access to the Internet for its customers. 


JavaScript is a scripting language, commonly used in Web pages to provide 
interactive functions. 

keyword filter 

A keyword filter scans all Internet traffic going through a server for forbidden 
words or terms to block. 


Latency is a measure of time delay experienced in a system, here in a 
computer network. It is measured by the time between the start of packet 
transmission to the start of packet reception, between one network end (e.g. 
you) to the other end (e.g. the Web server). One very powerful way of Web 
filtering is maintaining a very high latency, which makes lots of 
circumvention tools very difficult to use. 

log file 

A log file is a file that records a sequence of messages from a software 
process, which can be an application or a component of the operating 
system. For example, Web servers or proxies may keep log files containing 
records about which IP addresses used these services when and what pages 
were accessed. 

low-bandwidth filter 

A low-bandwidth filter is a Web service that removes extraneous elements 
such as advertising and images from a Web page and otherwise compresses 
it, making page download much quicker. 


Malware is a general term for malicious software, including viruses, that may 
be installed or executed without your knowledge. Malware may take control 
of your computer for purposes such as sending spam. (Malware is also 
sometimes called badware.) 


man in the middle 

A man in the middle or man-in-the-mlddle is a person or computer capturing 
traffic on a communication channel, especially to selectively change or block 
content In a way that undermines cryptographic security. Generally the man- 
in-the-mlddle attack involves Impersonating a Web site, service, or Individual 
in order to record or alter communications. Governments can run man-ln- 
the-mlddle attacks at country gateways where all traffic entering or leaving 
the country must pass. 

middleman node 

A middleman node Is a Tor node that is not an exit node. Running a 
middleman node can be safer than running an exit node because a middleman 
node will not show up In third parties' log files. (A middleman node Is 
sometimes called a non-exit node.) 


To monitor Is to check a data stream continuously for unwanted activity. 

network address translation (NAT) 

NAT Is a router function for hiding an address space by remapping. All traffic 
going out from the router then uses the router's IP address, and the router 
knows how to route incoming traffic to the requestor. NAT Is frequently 
implemented by firewalls. Because incoming connections are normally 
forbidden by NAT, NAT makes It difficult to offer a service to the general 
public, such as a Web site or public proxy. On a network where NAT Is In use, 
offering such a service requires some kind of firewall configuration or NAT 
traversal method. 

network operator 

A network operator is a person or organization who runs or controls a 
network and thus Is In a position to monitor, block, or alter communications 
passing through that network. 


A node Is an active device on a network. A router Is an example of a node. In 
the Psiphon and Tor networks, a server Is referred to as a node. 

non-exit node 

See middleman node. 



Obfuscation means obscuring text using easily-understood and easily- 
reversed transformation techniques that will withstand casual inspection but 
not cryptanalysis, or making minor changes in text strings to prevent simple 
matches. Web proxies often use obfuscation to hide certain names and 
addresses from simple text filters that might be fooled by the obfuscation. As 
another example, any domain name can optionally contain a final dot, as in 
"", but some filters might search only for "" 
(without the final dot). 

open node 

An open node is a specific Psiphon node which can be used without logging 
in. It automatically loads a particular homepage, and presents itself in a 
particular language, but can then be used to browse elsewhere. 

See also Psiphon node, 

A packet is a data structure defined by a communication protocol to contain 
specific information in specific forms, together with arbitrary data to be 
communicated from one point to another. Messages are broken into pieces 
that will fit in a packet for transmission, and reassembled at the other end of 
the link. 


A peer-to-peer (or P2P) network is a computer network between equal peers. 
Unlike client-server networks there is no central server and so the traffic is 
distributed only among the clients.This technology is mostly applied to file 
sharing programs like BitTorrent, eMule and Gnutella. But also the very old 
Usenet technology or the VoIP program Skype can be categorized as peer-to- 
peer systems. 

See also file sharing. 


PHP is a scripting language designed to create dynamic Web sites and web 
applications. It is installed on a Web server. For example, the popular Web 
proxy PHProxy uses this technology. 


plain text 

Plain text is unformatted text consisting of a sequence of character codes, as 
in ASCII plain text or Unicode plain text. 


Plaintext is unencrypted text, or decrypted text. 

See also encryption, SSL, SSH. 


Protection of personal privacy means preventing disclosure of personal 
information without the permission of the person concerned. In the context 
of circumvention, it means preventing observers from finding out that a 
person has sought or received information that has been blocked or is illegal 
in the country where that person is at the time. 


Post office Protocol version 3 is used to receive mail from a server, by default 
on port 110 with an e-mail program such as Outlook Express orThunderbird. 


A hardware port on a computer is a physical connector for a specific purpose, 
using a particular hardware protocol. Examples are a VGA display port or a 
USB connector. 

Software ports also connect computers and other devices over networks 
using various protocols, but they exist in software only as numbers. Ports are 
somewhat like numbered doors into different rooms, each for a special 
service on a server or PC. They are identified by numbers from to 65535. 


A formal definition of a method of communication, and the form of data to be 
transmitted to accomplish it. Also, the purpose of such a method of 
communication. For example, Internet Protocol (IP) for transmitting data 
packets on the Internet, or Hypertext Transfer Protocol for interactions on 
the Vk/orld V\/ide Web. 


proxy server 

A proxy server is a server, a computer system or an application program 
which acts as a gateway between a client and a Web server. A client connects 
to the proxy server to request a Web page from a different server. Then the 
proxy server accesses the resource by connecting to the specified server, and 
returns the information to the requesting site. Proxy servers can serve many 
different purposes, including restricting Web access or helping users route 
around obstacles. 

Psiphon node 

A Psiphon node is a secured web proxy designed to evade Internet 
censorship. It is developed by Psiphon inc. Psiphon nodes can be open or 

private node 

A private node is a Psiphon node working with authentication, which means 
that you have to register before you can use it. Once registered, you will be 
able to send invitations to your friends and relatives to use this specific node. 

See also Psiphon node. 
publicly routable IP address 

Publicly routable IP addresses (sometimes called public IP addresses) are 
those reachable in the normal way on the Internet, through a chain of 
routers. Some IP addresses are private, such as the 192.168.X.X block, and 
many are unassigned. 

regular expression 

A regular expression (also called a regexp or RE) is a text pattern that specifies 
a set of text strings in a particular regular expression implementation such as 
the UNIX grep utility. A text string "matches" a regular expression if the string 
conforms to the pattern, as defined by the regular expression syntax. In each 
RE syntax, some characters have special meanings, to allow one pattern to 
match multiple other strings. For example, the regular expression lo+se 
matches lose, loose, and looose. 



An anonymous remailer is a service wJiich allows users to send e-mails 
anonymously. The remailer receives messages via e-mail and forwards them 
to their intended recipient after removing information that would identify the 
original sender Some also provide an anonymous return address that can be 
used to reply to the original sender without disclosing her identity. Well- 
known Remailer services include Cypherpunk, Mixmasterand Nym. 


A router is a computer that determines the route for forwarding packets. It 
uses address information in the packet header and cached information on the 
server to match address numbers with hardware connections. 

root name server 

A root name server or root server is any of thirteen server clusters run by 
lANA to direct traffic to all of the TLDs, as the core of the DNS system. 

RSS (Real Simple Syndication) 

RSS is a method and protocol for allowing Internet users to subscribe to 
content from a Web page, and receive updates as soon as they are posted. 


On the Web, a scheme is a mapping from a name to a protocol. Thus the 
HTTP scheme maps URLs that begin with HTTP: to the Hypertext Transfer 
Protocol. The protocol determines the interpretation of the rest of the URL, so 
that identifies a Web site and a 
specific file in a specific directory, and is an e- 
mail address of a specific person or group at a specific domain. 


A UNIX shell is the traditional command line user interface forthe UNIX/Linux 
operating systems. The most common shells are sh and bash. 



A SOCKS proxy is a special kind of proxy server. In the ISO/OSI model it 
operates between the application layer and the transport layer. The standard 
port for SOCKS proxies is 1080, but they can also run on different ports. Many 
programs support a connection through a SOCKS proxy. If not you can install 
a SOCKS client like FreeCap, ProxyCap orSocksCap which can force programs 
to run through the Socks proxy using dynamic port forwarding. It is also 
possible to use SSH tools such as OpenSSH as a SOCKS proxy server. 


A screenlogger is software able to record everything your computer displays 
on the screen. The main feature of a screenlogger is to capture the screen and 
log it into files to view at any time in the future. Screen loggers can be used as 
powerful monitoring tool. You should be aware of any screen logger running 
on any computer you are using, anytime. 


A script is a program, usually written in an interpreted, non-compiled 
language such as JavaScript, Java, or a command interpreter language such as 
bash. Many Web pages include scripts to manage user interaction with a Web 
page, so that the server does not have to send a new page for each change. 


A smartphone is a mobile phone that offers more advanced computing ability 
and connectivity than a contemporary feature phone, such as Web access, 
ability to run elaborated operating systems and run built-in applications. 


Spam is messages that overwhelm a communications channel used by 
people, most notably commercial advertising sent to large numbers of 
individuals or discussion groups. Most spam advertises products or services 
that are illegal in one or more ways, almost always including fraud. Content 
filtering of e-mail to block spam, with the permission of the recipient, is 
almost universally approved of. 


SSH (Secure Shell) 

SSH or Secure Shell Is a network protocol that allows encrypted 
communication between computers. It was invented as a successor of the 
unencrypted Telnet protocol and is also used to access a shell on a remote 

The standard SSH port is 22. It can be used to bypass Internet censorship 
with port forwarding or it can be used to tunnel other programs like VNC. 

SSL (Secure Sockets Layer) 

SSL (or Secure Sockets Layer), is one of several cryptographic standards used 
to make Internet transactions secure. It is was used as the basis for the 
creation of the related Transport Layer Security (TLS). You can easily see if you 
are using SSL/TLS by looking at the URL in your Browser (like Firefox or 
Internet Explorer): If it starts with https instead of http, your connection is 


Steganography, from the Greek for hidden writing, refers to a variety of 
methods of sending hidden messages where not only the content of the 
message is hidden but the very fact that something covert is being sent is also 
concealed. Usually this is done by concealing something within something 
else, like a picture or a text about something innocent or completely 
unrelated. Unlike cryptography, where it is clear that a secret message is 
being transmitted, steganography does not attract attention to the fact that 
someone is trying to conceal or encrypt a message. 


A subdomain is part of a larger domain. If for example "" is the 
domain for the Wikipedia, "" is the subdomain for the English 
version of the Wikipedia. 

threat analysis 

A security threat analysis is properly a detailed, formal study of all known 
ways of attacking the security of servers or protocols, or of methods for using 
them for a particular purpose such as circumvention. Threats can be 
technical, such as code-breaking or exploiting software bugs, or social, such 
as stealing passwords or bribing someone who has special knowledge. Few 
companies or individuals have the knowledge and skill to do a comprehensive 
threat analysis, but everybody involved in circumvention has to make some 
estimate of the issues. 


Top-Level Domain (TLD) 

In Internet names, the TLD is the last component of the domain name. There 
are several generic TLDs, most notably .com, .org, .edu, .net, .gov, .mil, .Int, 
and one two-letter country code (ccTLD) for each country in the system, such 
as .ca for Canada. The European Union also has the tvi/o-letter code .eu. 

TLS (Transport Layer Security) 

TLS or Transport Layer Security Is a cryptographic standard based on SSL, used 
to make Internet transactions secure. 

TCP/IP (Transmission Control Protocol over Internet Protocol) 

TCP and IP are the fundamental protocols of the Internet, handling packet 
transmission and routing. There are a few alternative protocols that are used 
at this level of Internet structure, such as UDP. 

Tor bridge 

A bridge Is a middleman Tor node that Is not listed in the main public Tor 
directory, and so Is possibly useful in countries where the public relays are 
blocked. Unlike the case of exit nodes, IP addresses of bridge nodes never 
appear In server log files and never pass through monitoring nodes in a way 
that can be connected with circumvention. 

traffic analysis 

Traffic analysis is statistical analysis of encrypted communications. In some 
circumstances traffic analysis can reveal Information about the people 
communicating and the Information being communicated. 


A tunnel Is an alternate route from one computer to another, usually Including 
a protocol that specifies encryption of messages. 

UDP (User Datagram Packet) 

UDP Is an alternate protocol used with IP. Most Internet services can be 
accessed using either TCP or UDP, but there are some that are defined to use 
only one of these alternatives. UDP Is especially useful for real-time 
multimedia applications like Internet phone calls (VoIP). 


URL (Uniform Resource Locator) 

The URL (Uniform Resource Locator) is the address of a Web site. For 
example, the URL for the World News section of the NY Times is Many censoring systems 
can block a single U RL Sometimes an easy way to bypass the block is to 
obscure the U RL. It is for example possible to add a dot after the site name, so 
the URL becomes If 
you are lucky with this little trick you can access blocked Web sites. 


Usenet is a more than 20-year-old discussion forum system accessed using 
the NNTP protocoL The messages are not stored on one server but on many 
servers which distribute their content constantly. Because of that it is 
impossible to censor Usenet as a whole, however access to Usenet can and is 
often blocked, and any particular server is likely to carry only a subset of 
locally-acceptable Usenet newsgroups. Google archives the entire available 
history of Usenet messages for searching. 

VoIP (Voice over Internet Protocol) 

VoIP refers to any of several protocols for real-time two-way voice 
communication on the Internet, which is usually much less expensive than 
calling over telephone company voice networks. It is not subject to the kinds 
of wiretapping practiced on telephone networks, but can be monitored using 
digital technology. Many companies produce software and equipment to 
eavesdrop on VoIP calls; securely encrypted VoIP technologies have only 
recently begun to emerge. 

VPN (virtual private network) 

A VPN (virtual private network) is a private communication network used by 
many companies and organizations to connect securely over a public 
network. Usually on the Internet it is encrypted and so nobody except the 
endpoints of the communication can look at the data traffic. There are 
various standards like IPSec, SSL, TLS or PPTP. The use of a VPN provider is a 
very fast secure and convenient method to bypass Internet censorship with 
little risks but it generally costs money every month. 


A whitelist is a list of sites specifically authorized for a particular form of 
communication. Filtering traffic can be done either by a whitelist (block 
everything but the sites on the list), a blacklist (allow everything but the sites 
on the list), a combination of the two, or by other policies based on specific 
rules and conditions. 


World Wide Web (WWW) 

The World Wide Web is the network of hyperlinked domains and content 
pages accessible using the Hypertext Transfer Protocol and its numerous 
extensions. The World Wide Web is the most famous part of the Internet. 


Webmail is e-mail service through a Web site. The service sends and receives 
mail messages for users in the usual way, but provides a Web interface for 
reading and managing messages, as an alternative to running a mail client 
such as Outlook Express orThunderbird on the user's computer. For example 
a popular and free webmail service is 

Web proxy 

A Web proxy is a script running on a Web server which acts as a 
proxy/gateway. Users can access such a Web proxy with their normal Web 
browser (like Firefox) and enter any URL in the form located on that Web site. 
Then the Web proxy program on the server receives that Web content and 
displays it to the user This way the ISP only sees a connection to the server 
with the Web proxy since there is no direct connection. 


WHOIS (who is) is the aptly named Internet function that allows one to query 
remote WHOIS databases for domain registration information. By performing 
a simple WHOIS search you can discover when and by whom a domain was 
registered, contact information, and more. 

A WHOIS search can also reveal the name or network mapped to a numerical 
IP address 


Made with Booki