introduction to torsukhbir/talks/toronto... · 2017. 10. 29. · introduction to tor secure web...
TRANSCRIPT
Before We Begin. . .
I Understand your threat model
I If in doubt, it’s better to ask
I Respect the group and the discussions
I No photographs please
2 / 25
Before We Begin. . .
I Understand your threat model
I If in doubt, it’s better to ask
I Respect the group and the discussions
I No photographs please
2 / 25
Before We Begin. . .
I Understand your threat model
I If in doubt, it’s better to ask
I Respect the group and the discussions
I No photographs please
2 / 25
Before We Begin. . .
I Understand your threat model
I If in doubt, it’s better to ask
I Respect the group and the discussions
I No photographs please
2 / 25
Before We Begin. . .
I Understand your threat model
I If in doubt, it’s better to ask
I Respect the group and the discussions
I No photographs please
2 / 25
Anonymity on the Internet
3 / 25
Anonymity on the Internet
3 / 25
Anonymity on the Internet
3 / 25
Anonymity on the Internet
3 / 25
Anonymity on the Internet
3 / 25
Anonymity on the Internet
3 / 25
Anonymity on the Internet
Anonymity
3 / 25
Anonymity on the Internet
3 / 25
“On the Internet, Nobody Knows...”
†
†Image from The New Yorker cartoon by Peter Steiner, 1993
4 / 25
On the Internet, They Know...
5 / 25
Tor: The Onion Router
6 / 25
Tor: The Onion Router
6 / 25
Tor: The Onion Router
6 / 25
Tor: The Onion Router
Client
Destination
6 / 25
Tor: The Onion Router
Client
Destination
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
I
II
III
6 / 25
Tor: The Onion Router
Client
Destination
EntryMiddleExit
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
I
II
III
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II)
Exit Relay (III)
I
II
III
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
I
II
III
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
I
II
III
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
I
II
III
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
✓Source [IP]
× Destination [Resource]
6 / 25
Tor: The Onion Router
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
× Source [IP]
✓Destination [Resource]
6 / 25
Tor: The Onion Router
I Low-latency anonymity
I Distributed design
I 2,000,000 users and 6000 relaysI 100 Gbit/sec available bandwidth
∗https://metrics.torproject.org7 / 25
Tor: The Onion Router
I Low-latency anonymity
I Distributed design
I 2,000,000 users and 6000 relaysI 100 Gbit/sec available bandwidth
∗https://metrics.torproject.org7 / 25
Tor: The Onion Router
I Low-latency anonymity
I Distributed design
I 2,000,000 users and 6000 relaysI 100 Gbit/sec available bandwidth
∗https://metrics.torproject.org7 / 25
Who Uses Tor?
I Journalists
I Activists
I You...
8 / 25
Who Uses Tor?
I Journalists
I Activists
I You...
8 / 25
Who Uses Tor?
I Journalists
I Activists
I You...
8 / 25
Who Uses Tor?
I Journalists
I Activists
I You...
8 / 25
little-t-tor
I Core of the Tor software ecosystem
I Runs as a daemon and sets up a local SOCKS5 proxy
I But there are still application-level concerns. . .
9 / 25
little-t-tor
I Core of the Tor software ecosystem
I Runs as a daemon and sets up a local SOCKS5 proxy
I But there are still application-level concerns. . .
9 / 25
little-t-tor
I Core of the Tor software ecosystem
I Runs as a daemon and sets up a local SOCKS5 proxy
I But there are still application-level concerns. . .
9 / 25
little-t-tor
I Core of the Tor software ecosystem
I Runs as a daemon and sets up a local SOCKS5 proxy
I But there are still application-level concerns. . .
9 / 25
Tor Browser
Tor (little-t-tor)
+
Mozilla Firefox (Modified ESR)
10 / 25
Tor Browser: Demo
Download fromhttps://www.torproject.org/torbrowser
11 / 25
Staying Safe
I Use Tor Browser
I Be careful when opening downloaded documents
I Use HTTPS versions of websites
I Don’t enable or install browser plugins
12 / 25
Staying Safe
I Use Tor Browser
I Be careful when opening downloaded documents
I Use HTTPS versions of websites
I Don’t enable or install browser plugins
12 / 25
Staying Safe
I Use Tor Browser
I Be careful when opening downloaded documents
I Use HTTPS versions of websites
I Don’t enable or install browser plugins
12 / 25
Staying Safe
I Use Tor Browser
I Be careful when opening downloaded documents
I Use HTTPS versions of websites
I Don’t enable or install browser plugins
12 / 25
Staying Safe
I Use Tor Browser
I Be careful when opening downloaded documents
I Use HTTPS versions of websites
I Don’t enable or install browser plugins
12 / 25
How Governments Censor Tor
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
13 / 25
How Governments Censor Tor
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
ISP*
* - government
13 / 25
How Governments Censor Tor
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
ISP
13 / 25
How Governments Censor Tor
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
ISP
13 / 25
Tor Bridges
I If using Tor isI blocked by censorshipI dangerous or considered supicious
I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor
I Get bridges from https://bridges.torproject.org
14 / 25
Tor Bridges
I If using Tor isI blocked by censorshipI dangerous or considered supicious
I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor
I Get bridges from https://bridges.torproject.org
14 / 25
Tor Bridges
I If using Tor isI blocked by censorshipI dangerous or considered supicious
I Then you need to use a bridge
I an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor
I Get bridges from https://bridges.torproject.org
14 / 25
Tor Bridges
I If using Tor isI blocked by censorshipI dangerous or considered supicious
I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor
I Get bridges from https://bridges.torproject.org
14 / 25
Tor Bridges
I If using Tor isI blocked by censorshipI dangerous or considered supicious
I Then you need to use a bridgeI an alternative entry point to the networkI makes it harder for your ISP to know that you are using Tor
I Get bridges from https://bridges.torproject.org
14 / 25
Using Tor Bridges
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
ISP
15 / 25
Using Tor Bridges
Client
Destination
Entry Guard (I)
Middle Relay (II) Exit Relay (III)
ISP
bridges.torproject.org
15 / 25
Using Tor Bridges
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
15 / 25
Using Tor Bridges
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
15 / 25
How Governments Censor Tor: Part II
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
16 / 25
How Governments Censor Tor: Part II
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
16 / 25
Pluggable Transports (PT)
I Censors can use DPI to recognize and filter Tor traffic
I PT transforms Tor traffic between client and the bridgeI censors see innocent-looking traffic instead of Tor
I Use a bridge with a PT (obfuscated bridge)
17 / 25
Pluggable Transports (PT)
I Censors can use DPI to recognize and filter Tor traffic
I PT transforms Tor traffic between client and the bridgeI censors see innocent-looking traffic instead of Tor
I Use a bridge with a PT (obfuscated bridge)
17 / 25
Pluggable Transports (PT)
I Censors can use DPI to recognize and filter Tor traffic
I PT transforms Tor traffic between client and the bridgeI censors see innocent-looking traffic instead of Tor
I Use a bridge with a PT (obfuscated bridge)
17 / 25
Using Pluggable Transports and Bridges
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
18 / 25
Using Pluggable Transports and Bridges
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
18 / 25
Using Pluggable Transports and Bridges
Client
Destination
Bridge (I)
Middle Relay (II) Exit Relay (III)
ISP
18 / 25
Bridges and Pluggable Transports: Demo
Using Tor Browser
19 / 25
Onion Services
Onion Service(.onion)
20 / 25
Onion Services
Onion Service(.onion)
20 / 25
Onion Services
Onion Service(.onion)
20 / 25
Benefits of Onion Services
I End-to-end encrypted without the need for a centralized CA
I Clients can be assured they are talking to the right address
I The location and IP address of the onion service are hiddenI making them difficult block or censor
21 / 25
Benefits of Onion Services
I End-to-end encrypted without the need for a centralized CA
I Clients can be assured they are talking to the right address
I The location and IP address of the onion service are hiddenI making them difficult block or censor
21 / 25
Benefits of Onion Services
I End-to-end encrypted without the need for a centralized CA
I Clients can be assured they are talking to the right address
I The location and IP address of the onion service are hiddenI making them difficult block or censor
21 / 25
Benefits of Onion Services
I End-to-end encrypted without the need for a centralized CA
I Clients can be assured they are talking to the right address
I The location and IP address of the onion service are hiddenI making them difficult block or censor
21 / 25
Onion Services: Demo
The New York Times Onion Service:
nytimes3xbfgragh.onion
22 / 25
Tor vs. VPN
† VPN Tor Tor Browser
Censorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Tor vs. VPN
† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++
Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Tor vs. VPN
† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +
Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Tor vs. VPN
† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++
Privacy − + +++Speed ++ −− −−Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Tor vs. VPN
† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++
Speed ++ −− −−Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Tor vs. VPN
† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−
Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Tor vs. VPN
† VPN Tor Tor BrowserCensorship Evasion ++ +++ +++Appear Elsewhere ++ + +Anonymity + ++ +++Privacy − + +++Speed ++ −− −−Cost −− +++ +++
†Modified under CC BY-SA 4.0. Original work by Tim Sammut from
https://teamsammut.com/blog/2015/08/tor-vs-vpn-and-proxies-slides.html
23 / 25
Secure Web Browsing: Discussion
EFF Surveillance Self-Defense
https://ssd.eff.org
24 / 25
Thank You
Questions?https://www.torproject.org/support/
E4AC D397 5427 A5BA 8450 A1BE B01C 8B00 6DA7 7FAA
25 / 25