introduction to torsukhbir/talks/toronto... · 2017. 10. 29. · introduction to tor secure web...

Introduction to Tor

Secure Web Browsing and Anonymity

Sukhbir Singhsukhbir@torproject.org

October 29, 2017

Before We Begin. . .

I Understand your threat model

I If in doubt, it’s better to ask

I Respect the group and the discussions

I No photographs please

2 / 25

Before We Begin. . .

I Understand your threat model

I If in doubt, it’s better to ask

I Respect the group and the discussions

I No photographs please

2 / 25

Before We Begin. . .

I Understand your threat model

I If in doubt, it’s better to ask

I Respect the group and the discussions

I No photographs please

2 / 25

Before We Begin. . .

I Understand your threat model

I If in doubt, it’s better to ask

I Respect the group and the discussions

I No photographs please

2 / 25

Before We Begin. . .

I Understand your threat model

I If in doubt, it’s better to ask

I Respect the group and the discussions

I No photographs please

2 / 25

Anonymity on the Internet

3 / 25

Anonymity on the Internet

3 / 25

Anonymity on the Internet

3 / 25

Anonymity on the Internet

3 / 25

Anonymity on the Internet

3 / 25

Anonymity on the Internet

3 / 25

Anonymity on the Internet

Anonymity

3 / 25

Anonymity on the Internet

3 / 25

“On the Internet, Nobody Knows...”

†

†Image from The New Yorker cartoon by Peter Steiner, 1993

4 / 25

On the Internet, They Know...

5 / 25

Tor: The Onion Router

6 / 25

Tor: The Onion Router

6 / 25

Tor: The Onion Router

6 / 25

Tor: The Onion Router

Client

Destination

6 / 25

Tor: The Onion Router

Client

Destination

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

I

II

III

6 / 25

Tor: The Onion Router

Client

Destination

EntryMiddleExit

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

I

II

III

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II)

Exit Relay (III)

I

II

III

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

I

II

III

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

I

II

III

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

I

II

III

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

✓Source [IP]

× Destination [Resource]

6 / 25

Tor: The Onion Router

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

× Source [IP]

✓Destination [Resource]

6 / 25

Tor: The Onion Router

I Low-latency anonymity

I Distributed design

I 2,000,000 users and 6000 relaysI 100 Gbit/sec available bandwidth

∗https://metrics.torproject.org7 / 25

Tor: The Onion Router

I Low-latency anonymity

I Distributed design

I 2,000,000 users and 6000 relaysI 100 Gbit/sec available bandwidth

∗https://metrics.torproject.org7 / 25

Tor: The Onion Router

I Low-latency anonymity

I Distributed design

I 2,000,000 users and 6000 relaysI 100 Gbit/sec available bandwidth

∗https://metrics.torproject.org7 / 25

Who Uses Tor?

I Journalists

I Activists

I You...

8 / 25

Who Uses Tor?

I Journalists

I Activists

I You...

8 / 25

Who Uses Tor?

I Journalists

I Activists

I You...

8 / 25

Who Uses Tor?

I Journalists

I Activists

I You...

8 / 25

little-t-tor

I Core of the Tor software ecosystem

I Runs as a daemon and sets up a local SOCKS5 proxy

I But there are still application-level concerns. . .

9 / 25

little-t-tor

I Core of the Tor software ecosystem

I Runs as a daemon and sets up a local SOCKS5 proxy

I But there are still application-level concerns. . .

9 / 25

little-t-tor

I Core of the Tor software ecosystem

I Runs as a daemon and sets up a local SOCKS5 proxy

I But there are still application-level concerns. . .

9 / 25

little-t-tor

I Core of the Tor software ecosystem

I Runs as a daemon and sets up a local SOCKS5 proxy

I But there are still application-level concerns. . .

9 / 25

Tor Browser

Tor (little-t-tor)

+

Mozilla Firefox (Modified ESR)

10 / 25

Tor Browser: Demo

Download fromhttps://www.torproject.org/torbrowser

11 / 25

Staying Safe

I Use Tor Browser

I Be careful when opening downloaded documents

I Use HTTPS versions of websites

I Don’t enable or install browser plugins

12 / 25

Staying Safe

I Use Tor Browser

I Be careful when opening downloaded documents

I Use HTTPS versions of websites

I Don’t enable or install browser plugins

12 / 25

Staying Safe

I Use Tor Browser

I Be careful when opening downloaded documents

I Use HTTPS versions of websites

I Don’t enable or install browser plugins

12 / 25

Staying Safe

I Use Tor Browser

I Be careful when opening downloaded documents

I Use HTTPS versions of websites

I Don’t enable or install browser plugins

12 / 25

Staying Safe

I Use Tor Browser

I Be careful when opening downloaded documents

I Use HTTPS versions of websites

I Don’t enable or install browser plugins

12 / 25

How Governments Censor Tor

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

13 / 25

How Governments Censor Tor

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

ISP*

* - government

13 / 25

How Governments Censor Tor

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

ISP

13 / 25

How Governments Censor Tor

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

ISP

13 / 25

Tor Bridges

I If using Tor isI blocked by censorshipI dangerous or considered supicious

I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor

I Get bridges from https://bridges.torproject.org

14 / 25

Tor Bridges

I If using Tor isI blocked by censorshipI dangerous or considered supicious

I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor

I Get bridges from https://bridges.torproject.org

14 / 25

Tor Bridges

I If using Tor isI blocked by censorshipI dangerous or considered supicious

I Then you need to use a bridge

I an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor

I Get bridges from https://bridges.torproject.org

14 / 25

Tor Bridges

I If using Tor isI blocked by censorshipI dangerous or considered supicious

I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor

I Get bridges from https://bridges.torproject.org

14 / 25

Tor Bridges

I If using Tor isI blocked by censorshipI dangerous or considered supicious

I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor

I Get bridges from https://bridges.torproject.org

14 / 25

Using Tor Bridges

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

ISP

15 / 25

Using Tor Bridges

Client

Destination

Entry Guard (I)

Middle Relay (II) Exit Relay (III)

ISP

bridges.torproject.org

15 / 25

Using Tor Bridges

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

15 / 25

Using Tor Bridges

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

15 / 25

How Governments Censor Tor: Part II

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

16 / 25

How Governments Censor Tor: Part II

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

16 / 25

Pluggable Transports (PT)

I Censors can use DPI to recognize and filter Tor traffic

I PT transforms Tor traffic between client and the bridgeI censors see innocent-looking traffic instead of Tor

I Use a bridge with a PT (obfuscated bridge)

17 / 25

Pluggable Transports (PT)

I Censors can use DPI to recognize and filter Tor traffic

I PT transforms Tor traffic between client and the bridgeI censors see innocent-looking traffic instead of Tor

I Use a bridge with a PT (obfuscated bridge)

17 / 25

Pluggable Transports (PT)

I Censors can use DPI to recognize and filter Tor traffic

I PT transforms Tor traffic between client and the bridgeI censors see innocent-looking traffic instead of Tor

I Use a bridge with a PT (obfuscated bridge)

17 / 25

Using Pluggable Transports and Bridges

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

18 / 25

Using Pluggable Transports and Bridges

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

18 / 25

Using Pluggable Transports and Bridges

Client

Destination

Bridge (I)

Middle Relay (II) Exit Relay (III)

ISP

18 / 25

Bridges and Pluggable Transports: Demo

Using Tor Browser

19 / 25

Onion Services

Onion Service(.onion)

20 / 25

Onion Services

Onion Service(.onion)

20 / 25

Onion Services

Onion Service(.onion)

20 / 25

Benefits of Onion Services

I End-to-end encrypted without the need for a centralized CA

I Clients can be assured they are talking to the right address

I The location and IP address of the onion service are hiddenI making them difficult block or censor

21 / 25

Benefits of Onion Services

I End-to-end encrypted without the need for a centralized CA

I Clients can be assured they are talking to the right address

I The location and IP address of the onion service are hiddenI making them difficult block or censor

21 / 25

Benefits of Onion Services

I End-to-end encrypted without the need for a centralized CA

I Clients can be assured they are talking to the right address

I The location and IP address of the onion service are hiddenI making them difficult block or censor

21 / 25

Benefits of Onion Services

I End-to-end encrypted without the need for a centralized CA

I Clients can be assured they are talking to the right address

I The location and IP address of the onion service are hiddenI making them difficult block or censor

21 / 25

Onion Services: Demo

The New York Times Onion Service:

nytimes3xbfgragh.onion

22 / 25

Tor vs. VPN

† VPN Tor Tor Browser

Censorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Tor vs. VPN

† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++

Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Tor vs. VPN

† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +

Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Tor vs. VPN

† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++

Privacy − + +++Speed ++ −− −−Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Tor vs. VPN

† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++

Speed ++ −− −−Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Tor vs. VPN

† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−

Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Tor vs. VPN

† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++

†Modified under CC BY-SA 4.0. Original work by Tim Sammut from

https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html

23 / 25

Secure Web Browsing: Discussion

EFF Surveillance Self-Defense

https://ssd.eff.org

24 / 25

Thank You

Questions?https://www.torproject.org/support/

sukhbir@torproject.org

E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA

25 / 25