Triple your privacy with a Chromebook and two VPNs

acer chromebook 11 n7  c731  large2
Credit: Acer

Now that Republicans in Congress have sold us out, everyone is writing about technical ways to prevent your internet service provider (ISP) from watching your on-line activity. The FBI and the British Government complain about bad guys going dark, but now the rest of us have to do so too, if we want any shred of privacy.

The generic, knee-jerk reaction is to use either a VPN or Tor. Both offer encryption that stealths you to your ISP. I wrote about them back in September (A Defensive Computing term paper on privacy: VPNs, Tor and VPN routers) but here I'm taking things a bit further. 

As a Defensive Computing guy, I have been focused on privacy invasions by an ISP for a while now. I'm well past generic reactions. Here I propose a Chromebook and two VPNs to dial your security and anonymity up to 11.

Part of the privacy boost comes from the Chromebook, part from the VPNs.

By the way, have you heard the latest re-definition of ISP? Invade Subscriber Privacy. Hats off to whoever came up with that. 

CHROMEBOOK ISOLATION AND LOCKDOWN

For the Chromebook, I suggest creating a Google account that is used only on the laptop and nowhere else. The point is to isolate the machine as much as possible.

Nothing new here, anyone serious about privacy should always isolate their private activity to a computer (real or virtual) devoted to that purpose. I would argue that the fatal flaw with Tor browser is that it typically runs on the same computer people use for other stuff.

For added protection, disable Chrome browser extensions. As I wrote about recently, there are extensions that can spy on you

And, of course, disable the Adobe Flash Player (it's a plug-in, not an extension). To block Flash in Chrome, click the three vertical dots in the top right corner, then Settings, then "Show advanced settings..," then the gray "Content settings..." button, then, in the Flash section, opt to "Block sites from running Flash."

Private browsing mode ("incognito" to Chrome) is, of course, the friend of anyone wanting to hide their tracks. More on this later.

OS LEVEL VPN

The secret sauce here is using two VPNs concurrently.

Chrome OS, the operating system on a Chromebook, supports two types of VPN: OpenVPN and L2TP. I can only speak from experience about using L2TP.

vpn.add.on.chromeos Michael Horowitz/IDG

Creating a new L2TP VPN definition on Chrome OS 56

You define a new VPN connection to the system with Settings -> Add connection -> OpenVPN/L2TP. This puts you at the window shown above where you need to enter five pieces of data: a VPN server name, a pre-shared key, a VPN userid, a VPN password, and a name by which to refer to this clump of stuff. The name can be anything that makes sense to you. The technical information is provided by the VPN service. 

All this information should be saved for later use by checking the "Save identity and password" box.

Note that there is a bug in Chrome OS version 56. After entering the data for a new VPN connection, the button at the bottom of the window says "Connect." It should say "OK." Clicking the Connect button does not connect you to the just entered VPN, it merely saves the data you entered. Chrome OS version 57, released on March 29, 2017, fixes this.

Typically a VPN provider has dozens, if not hundreds of VPN servers that you can connect to. On Chrome OS, each server requires a different VPN definition. I always end up with connections named after the city where the VPN server resides.

Once the data defining a VPN connection is saved, you connect to it by clicking in the bottom right corner of the screen, what Windows folks would call the system tray. Then click on "VPN disconnected," then the name of a VPN connection.

In Chrome OS 56, there is no progress bar while the VPN connection is being made, but a small (very small actually) key appears under the Wi-Fi signal strength indicator when the connection completes. Chrome OS 57 offers an easily visible message while the connection to the VPN is being made. This typically takes under 5 seconds. 

I recommend checking your public IP address before and after making the VPN connection to insure that it changes. You can do this at many sites including ipchicken.com, checkip.dyndns.com and ip2location.com. Also, after the connection is made, clicking the bottom right corner of the screen again will say "Connected to xxx" where xxx is the name you gave to the VPN connection definition.

BROWSER ONLY VPN

Now that Chrome OS is using a VPN, you can start another VPN from within the Chrome browser.

A handful of VPN providers offer their service as a web browser add-on. VPN connections made within a browser only protect web pages in that browser. In this way, they function much like the Tor browser. But, in Chrome OS, pretty much everything runs through the Chrome browser.

Making a browser-only VPN connection can be as easy as clicking a button or two, assuming you let the browser save the userid/password needed for this second VPN provider.

As with the initial Operating System level VPN, check the public IP address before and afterwards to insure the browser-only VPN connection has kicked in. It's a nerd thrill to watch a computer go from its initial public IP address to a second and then to a third. Kind of like traveling around the world without actually going anywhere, especially if you check the public IP address using ip2location.com.

You sign up for this VPN service in a normal browser window. If you prefer, Chrome can save the necessary login information for you. Whether it does or not, you will need to initiate the VPN connection from a normal browser window, doing so from incognito mode does not work.

Incognito mode also blocks extensions by default. To let the browser-based VPN function in incognito mode, enter

    chrome://extensions

in the address bar. Find the extension for the VPN and check the "Allow in incognito" box. Thereafter, new incognito windows will be protected by the second VPN. You should, of course, verify this by checking the public IP address.

TAKING STOCK

So, exactly what have we done here?

Your ISP can see that you are using the Operating System level VPN (the first one). As with any VPN, they are blind to your online activity. In this case, they have no clue that you are using a browser based VPN.

The provider of the operating system VPN knows where you are and may even know who you are, if you pay for the service. But all they see is that you made a connection to the VPN server of the browser level VPN provider. They too, are blind to your online activities.

The browser based VPN provider does see what you do online, just as a Tor exit node does. But, they don't know where you are. From their perspective, you came from a VPN server run by the operating system VPN provider.

If you play your cards right, they also don't know who you are. 

ANONYMITY

Tor was developed to hide your location, but since there is no sign-up or registration process, none of the computers in the Tor network know who you are either. At least, not at first. 

If you anonymously sign up with a VPN provider, then the scheme described here is virtually Tor. The browser based VPN provider does not know who you are or where you are.

Far too many articles ignore the fact that your identity can be hidden from a VPN provider. Perhaps you use a limited, free version of the service that only requires you to provide an email address. Even when paying, you can be anonymous. 

Many VPN providers allow payment with Bitcoin or gift cards. Below is a screen shot from the website of Private Internet Access showing that they accept gift cards.

vpn.pia.giftgards Michael Horowitz/IDG

VPN provider Private Internet Access is one of many that accept gift cards for payment

For still more anonymity, there are VPN providers that take cash. In one case, you go to their website and get assigned a customer number. Then you mail them cash and tell them to apply it to that customer number.

STANDING OUT

Even with all that, you still need to be aware that the use of VPNs and Tor is visible to an ISP. On the other side, your location (inferred from your IP address) is visible to the first computer you talk to. 

In the case of a VPN, that first computer is a VPN server (the computer that initiates a VPN connection is called the client). Tunneling one VPN through another hides your location/IP address from the second VPN provider, in this case the browser-based VPN. 

In the case of Tor, the first computer is called the entry node. For the best possible anonymity, don't use either Tor or a VPN at home.

Interesting story about that. Once upon a time, there was a college student who hadn't studied for a test. So, he tried to cancel the test by generating a phony bomb scare. The techies at the university were able to identify who on their network had been using Tor around the time of the bomb scare. This narrowed down the list of suspects sufficiently to identify the guilty party.

The more people that use VPNs, the less they will stand out from the crowd. Thanks to Congress, more people will, undoubtedly, be using a VPN. 

FINALLY

Doubling up on VPNs is not something anyone would want to do constantly. It takes time to set up and there will be a performance hit going through two different VPNs.

In my limited experience with this, it has been faster than Tor, but your mileage will obviously vary. In part, this comes from the fact that VPNs compete based on speed. And, most VPNs let you chose a server that is physically close to you, something that is not an option with Tor. 

Speaking of Tor, techies often say that it offers the best anonymity, but Tor is far from perfect. For one thing Tor has a huge target painted on its back. Every spy agency in the world is focused on breaking it. And, the anonymity offered by Tor greatly depends on how you get to it.

The safest way to use Tor is by booting the Tails version of Linux off a CD, DVD or USB flash drive, but, this is too hard for many people. The Tor Browser is easier to use but not as secure. Just a few months ago, Darlene Storm wrote that a Firefox zero-day can be used to unmask Tor browser users

Some also suggest using HTTPS secure websites to hide from an ISP, but the privacy this offers is weak. While the contents of web pages are encrypted, the domain name is not. Just knowing that you visited the i-like-to-have-sex-with-turtles.com website is enough for blackmail.

As always, if the operating system itself is hacked, all bets are off, regardless of VPNs and Tor. Chrome OS checks itself at system startup to insure that it hasn't been hacked. The paranoid among us can refresh the system at any time with the built-in Powerwash feature.

Rest assured, if you are a Yankee fan living in Boston, doubling up on VPNs should keep your secret safe from Red Sox nation.

Next up: VPN providers that support Chrome OS

UPDATE: April 2, 2017. Edits to make some points clearer. 

- - - - - - - 
Now that Computerworld, and all of parent company IDG's websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon