Let me start by saying it's technically impossible, in most cases at least, to be truly anonymous on the web(short of having your own botnet, but even that's not a sure thing). There are some common measures you can take, but there are several inherent risks in doing so, that I find are rarely discussed.
I generally assume a technical audience on this blog, just because hacking and security exploits demand that you understand the basics. Indeed, finding vulnerabilities and exploiting them really only becomes practical once you've mastered the basics enough that you can recognize a deviation when you see one.
That said, as this topic applies to anyone who uses the Internet, since everyone has a right to claim whatever threads of privacy they can these days, I'll briefly provide some background knowledge about how web browsing works. Skip it if you know it.
--Begin skip section --
A web browser is a program(Firefox, Chrome, Safari...and god help us Internet Explorer) that runs on your computer. You use it to view web pages like Google, SecurityTube.net(which honestly, if you want to know hacking go there. It's where I learned a lot of what I know), etc. These web pages are usually a combination of HTML, CSS, Javascript, PHP, etc. They're just files, really. But they have to live somewhere physically, and that somewhere is a web server. How do you connect to a web server to retrieve these pages? You'll have to know it's name(eg, google.com). In reality, through DNS lookup this name becomes an IP address(something of the form ###.###.###.### under IPv4), which is what layer 3 of the Internet actually knows how to route. Great, now you've contacted the server and requested a webpage, the server has to send it back to you somehow, but how does it know where you are? Well, you have an IP address as well(generally, if you check your own ip via ifconfig or ipconfig you'll see something of the form 192.168.x.y, which is only your private ip address, the real public facing ip is whatever local gateway router you've connected to, which can be found by going to some website that tells you your ip. NAT'ing handles both ways of this translation from public ip space to private ip space).
--End skip section--
So, all that means is that your ip address is what a remote server sees. It can be traced back to you relatively easily unless some measures are taken to obfuscate it. So, to don a veil of secrecy, you should simply change your ip address right? But how?
Enter proxies.
A proxy is nothing more than an intermediate server that you connect to en route to your desired server. You simply reroute all of your traffic through this server so that the server you actually want to retrieve information from sees the request as having originated from the proxy and not from you(it will see the proxies ip address only...maybe). Proxies are commonly used to bypass firewall settings that block a particular set of ip addresses. A proxy generally serves to alter the header of your original HTTP request some way.
There are three types of proxies, each with an increasing degree of anonymity.
Transparent proxies, which actually do little to nothing to the header of the HTTP request. Your ip address will still be available to whatever final server you are trying to contact. This is quite worthless in terms of maintaining secrecy.
Anonymous proxies, which will usually modify the HTTP header to display their ip address instead of yours. While this is desirable, an anonymous proxy will often indicate in the header that a proxy is being used on behalf of the request, which is technically information you probably don't want revealed to someone if you are still reading this.
Highly Anonymous proxies are really the living end. They will modify the HTTP to display only their ip address, and will not usually indicate that a proxy is even in use. This is the best you can ask for when using a proxy.
But wait, proxies are all well and good, but isn't there some other common way of maintaining anonymity on the web? Something to do with onions?
Tor(The onion routing project) is a way of routing requests through the Internet in hopes of obfuscating the origin of the request. Briefly, when you connect to a Tor network, your message is encrypted multiple times(hence the onion theme), and bounced through a "private" network of Tor servers, eventually resurfacing into the "public" internet through an exit node that will contact whatever server you originally wanted to access(facebook.com, for instance). That's a very high overview, and if you are interested in learning more about Tor, just google up the projects website.
Now, after how ever many paragraphs of run up that was, let's discuss where these things can go wrong.
With Tor, the primary concern is in your inability to establish the validity of the exit node of the network. Indeed, if this is being run by some shady operator, they will be able to read all of your traffic. The best way to combat this is to use some transport layer security like TLS to encrypt everything. Another potential pitfall is that the ip addresses of exit nodes are publicly available, and some websites will use this information to block all requests from a Tor network. I've not tested this myself, but you could more than likely bypass this by directing Tor to a proxy that then contacts the server you want. If I ever check on this I'll let you all know. If you check on this you should let me know in the comments section.
But that brings up the dangers of using a proxy service in the first place. A common way of using a proxy is to find a list of publicly available, free servers that will act as proxies and then connect to one of them, alternatively, there are some browser based proxy websites that will simply forward all of your requests directly through your browser. In both cases, the vulnerability is that you can't establish the validity of whomever is running the service. Indeed, you are potentially walking directly into a MITM attack whenever you use one of these services. Any information you send can be viewed by these proxy services, and further, they control your request(you gave it to them, after all), so they may choose to reroute you to any malicious phishing or malware-laced drive-by site of their choosing. SSL will not necessarily save you in the face of a MITM attack either, as it's pretty trivial to set up cert-spoofing. I'll do an article on Evil Twins and MITM attacks one of these days, if for nothing else to make sure none of you ever use public wifi again(whoever coined the term "hot spot" was probably being scanned and infected on every port at the time. Yea, that's right. An MITM will have layer 3 connectivity with you on a LAN. Metasploit much?).
So, what's the consensus? It all depends on the risks you are willing to take based on your need for privacy. I would say that Tor is probably your safest option, unless you have a proxy server somewhere that you know you can trust. There are "paid" proxy services out there, but that doesn't necessarily mean that they are any more trustworthy. At the end of the day, you decide.
In the name of Turing,
-G3n3s1s
