Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Digital Speakeasy: Secure and Anonymous Acc...

The Digital Speakeasy: Secure and Anonymous Access to Your Website

The Onion Router (Tor) is an invention of the US Naval Research Lab designed to anonymously route web traffic. Originally intended for secure communication between intelligence agents, Tor has become infamous for its role in the less savory parts of the internet. In a post-Arab Spring world, Tor has come full circle with big names like ProPublica and Facebook using the service to provide their users with secure side entrances to their websites. Inspired by their example, I’d like to show you how to provide Tor anonymity and privacy to your website users, without modifying a single bit on your production server!

Presented at:
DrupalCon Nashville
Full Slidedeck with Speaker Notes:
https://github.com/milsyobtaf/prez/blob/primary/2018/DrupalConNashville/digital-speakeasy_notes.pdf

milsyobtaf

April 11, 2018
Tweet

More Decks by milsyobtaf

Other Decks in Technology

Transcript

  1. Drupal. JavaScript. Future. Keynotes. Sessions. Sprints. A different kind of

    Drupal conference. Mark your calendar and prep your proposal! Follow @decoupleddays on Twitter.
  2. Join us for contribution sprints Friday, April 13, 2018 Mentored

    Core sprint 9:00-18:00 Room: 103 First time sprinter workshop General sprint 9:00-12:00 Room: 101 9:00-18:00 Room: 104 #drupalsprint
  3. What did you think? Locate this session at the DrupalCon

    Nashville website: http://nashville2018.drupal.org/schedule Take the Survey! https://www.surveymonkey.com/r/nashiville
  4. <!DOCTYPE html> <html lang="en-US"> <head> <meta charset="utf-8"> <title>Web design, development,

    and strategy | Four Kitchens</title> <meta name="viewport" content="width=device- width, initial-scale=1.0, maximum-scale=1.0"> <meta property="og:title" content="Web design, development, and strategy"> <meta property="og:type" content="article"> <meta property="og:url" content="http:// fourkitchens.com/"> <link rel="canonical" href="http://
  5. HTTP/1.1 200 OK Server: nginx/1.6.1 Date: Sat, 20 Aug 2016

    03:42:11 GMT Content-Type: text/html; charset=utf-8 Content-Length: 56595 Last-Modified: Wed, 17 Aug 2016 00:07:26 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "57b3aabe-dd13" Expires: Sun, 21 Aug 2016 03:42:11 GMT Cache-Control: max-age=86400 X-UA-Compatible: IE=Edge Accept-Ranges: bytes
  6. <!QBPGLCR ugzy> <ugzy ynat="ra-HF"> <urnq> <zrgn punefrg="hgs-8"> <gvgyr>Jro qrfvta, qrirybczrag,

    naq fgengrtl | Sbhe Xvgpuraf</gvgyr> <zrgn anzr="ivrjcbeg" pbagrag="jvqgu=qrivpr- jvqgu, vavgvny-fpnyr=1.0, znkvzhz-fpnyr=1.0"> <zrgn cebcregl="bt:gvgyr" pbagrag="Jro qrfvta, qrirybczrag, naq fgengrtl"> <zrgn cebcregl="bt:glcr" pbagrag="negvpyr"> <zrgn cebcregl="bt:hey" pbagrag="uggc:// sbhexvgpuraf.pbz/"> <yvax ery="pnabavpny" uers="uggc://
  7. HTTP/1.1 200 OK Server: nginx/1.6.1 Date: Sat, 20 Aug 2016

    03:49:34 GMT Content-Type: text/html; charset=utf-8 Content-Length: 56595 Last-Modified: Wed, 17 Aug 2016 00:07:26 GMT Connection: keep-alive Vary: Accept-Encoding ETag: "57b3aabe-dd13" Expires: Sun, 21 Aug 2016 03:49:34 GMT Cache-Control: max-age=86400 X-UA-Compatible: IE=Edge Accept-Ranges: bytes
  8. • Plain Text browsing • HTTPS browsing • Onion Router

    (gen 1) • Tor (The Onion Router, gen 2) Browsing in Secret
  9. • Not all governments are that forgiving • Arab Spring

    • Turkish Coup The Importance of Privacy
  10. • Not all governments are that forgiving • Arab Spring

    • Turkish Coup • Not all jobs are fully ethical • Edward Snowden • Chelsea Manning • Your reading habits can have consequences • Open Societies Foundation The Importance of Privacy
  11. Cooking up some delicious scallions... Using kernel optimized from file

    kernel.cl (Optimized4) Using work group size 128 Compiling kernel... done. Testing SHA1 hash... CPU SHA-1: d3486ae9136e7856bc42212385ea797094475802 GPU SHA-1: d3486ae9136e7856bc42212385ea797094475802 Looks good! LoopIteration:40 HashCount:671.09MH Speed:9.5MH/s Runtime: 00:01:10 Predicted:00:00:56 Found new key! Found 1 unique keys. <XmlMatchOutput> <GeneratedDate>2014-08-05T07:14:50.329955Z</GeneratedDate> <Hash>prefix64kxpwmzdz.onion</Hash> <PrivateKey>-----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCmYmTnwGOCpsPOqvs5mZQbIM1TTqOHK1r6zGvpk61ZaT7z2BCE FPvdTdkZ4tQ3/95ufjhPx7EVDjeJ/JUbT0QAW/YflzUfFJuBli0J2eUJzhhiHpC/ 1d3rb6Uhnwvv3xSnfG8m7LeI/Ao3FLtyZFgGZPwsw3BZYyJn3sD1mJIJrQIEB/ZP
  12. Caveat Typor • Reduction of randomness per character • Loss

    of .onion domain • Phishing attacks • smspriv6fynj23u6.onion
 vs
 smsprivyevs6xn6z.onion
  13. Drupal Hidden Services • Drupal Module (http:/ /dgo.to/tor) • Very

    out of date, somewhat clunky • Tor on Production Server • Complicates production server • Potential attack vectors • Something else?
  14. Reverse Proxy Setup • Drupal server only accessed as standard

    web server • Can’t blame Tor if the server white screens • Drupal server can continue to collect logs normally • Tor server can be locked down and scrubbed
  15. # Try to run Tor more securely via a syscall

    sandbox. # https://www.torproject.org/docs/tor-manual.html.en#Sandbox Sandbox 1 # Disable the SOCKS port. Not like anything else on this box is using tor. SocksPort 0 HiddenServiceDir /var/lib/tor/hidserv #HiddenServicePort 80 127.0.0.1:80 HiddenServicePort 80 unix:/var/run/nginx-80.sock #HiddenServicePort 443 unix:/var/lib/nginx/nginx-443.sock
  16. server { server_name fdg22p3lmweopgho.onion; listen unix:/var/run/nginx-80.sock; allow "unix:"; deny all;

    #listen 80; #allow 127.0.0.1; # Set cache on this nginx end so that we avoid fetching from # the real infrastructure when possible. proxy_cache tor; proxy_cache_valid any 5m; proxy_cache_revalidate on; proxy_cache_use_stale timeout updating; proxy_cache_key $request_uri; proxy_ignore_headers expires set-cookie;
  17. location / { proxy_pass https://192.168.1.100; proxy_http_version 1.1; proxy_set_header Host "www.website.org";

    proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; #proxy_ssl_server_name on; proxy_read_timeout 30; proxy_connect_timeout 30; # Don't compress data, since the subs module can't replace proxy_set_header Accept-Encoding ""; # TODO: denying non-GET requests due to some bot-related # abuse on some endpoints that poorly handle that. limit_except GET { deny all;
  18. ### SUBS https://github.com/yaoweibin/ ngx_http_substitutions_filter_module ### # We're rewriting links, but

    we need to preserve rel=canonical for analytics. subs_filter "rel=\"canonical\" href=\"http:// www.website.org" "-----CANONICALHTTPfdgDOTORG-----" i; subs_filter "rel=\"canonical\" href=\"https:// www.website.org" "-----CANONICALHTTPSfdgDOTORG-----" i; # Keep links in .onion subs_filter (http:|https:)?//(www\.)?website.org //$server_name gir; # Restore the rel="canonical" tag subs_filter "-----CANONICALHTTPfdgDOTORG-----" "rel=\"canonical\" href=\"http://www.website.org" i; subs_filter "-----CANONICALHTTPSfdgDOTORG-----" "rel=\"canonical\" href=\"https://www.website.org" i; ### /SUBS ###
  19. # We're rewriting links, but we need to preserve rel=canonical

    for analytics. subs_filter "rel=\"canonical\" href=\"http:// www.website.org" "-----CANONICALHTTPfdgDOTORG-----" i; subs_filter "rel=\"canonical\" href=\"https:// www.website.org" "-----CANONICALHTTPSfdgDOTORG-----" i; # Keep links in .onion subs_filter (http:|https:)?// (www\.)?website.org //$server_name gir; # Restore the rel="canonical" tag subs_filter "-----CANONICALHTTPfdgDOTORG-----" "rel=\"canonical\" href=\"http://www.website.org" i; subs_filter "-----CANONICALHTTPSfdgDOTORG-----"
  20. ### HEADERS http://wiki.nginx.org/HttpHeadersMoreModule ### more_clear_headers "Age"; more_clear_headers "Server"; more_clear_headers "Via";

    more_clear_headers "X-From-Nginx"; more_clear_headers "X-NA"; more_clear_headers "X-Powered-By"; more_clear_headers "X-Request-Id"; more_clear_headers "X-Runtime"; more_clear_headers "X-Varnish"; more_clear_headers "Content-Security-Policy-Report-Only"; ### /HEADERS ### }
  21. Ideal Setup • All logging turned off • All log

    paths set to /dev/null • All non-Tor traffic kept internal
  22. There Can Be Only One • Hidden sites, by their

    nature, have unique and secure URLs • It’s still possible to be exposed to malicious Tor nodes • Your browser might try to communicate to non- Onion addresses
  23. There Can Be Only One • DigiCert • Only game

    in town, currently • Working to standardize .onion as a TLD
  24. Future Improvements • Future Improvements • Single Onion Services -

    1 hop server () • OnionBalance - load balancing • Permanent SSL Certificates
  25. Resource Links General: https:/ /www.torproject.org/about/overview.html.en https:/ /www.torproject.org/docs/hidden-services.html.en https:/ /www.eff.org/pages/tor-and-https https:/

    /github.com/alecmuffett/eotk https:/ /github.com/alecmuffett/onion-sites-that-dont-suck https:/ /onionshare.org http:/ /incoherency.co.uk/blog/stories/hidden-service-phishing.html https:/ /boingboing.net/2017/10/02/pwnage-to-catalonia.html ProPublica setup: https:/ /www.propublica.org/nerds/item/a-more-secure-and-anonymous-propublica-using-tor-hidden-services https:/ /gist.github.com/mtigas/9a7425dfdacda15790b2 HTTPS: https:/ /www.cybersecureasia.com/blog/tor-ssl-onion-certificate-from-digicert Vanity URL: http:/ /www.zdnet.com/article/facebook-sets-up-hidden-service-for-tor-users/