Ticket To The Dark World

Transcript

1. TICKET TO THE DARK WORLD OWASP SAITAMA MTG #12, TALK

   #1

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) 
 https://keybase.io/alterakey

   ▸ Monolith Works Inc. 
 Co-founder, CTO 
 Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ 
 ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps 
 →Financial, Games, IoT related, etc. (>200) 
 →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps 
 →POS, RAD tools etc. ▸ Network/Web penetration testing 
 →PCI-DSS etc. ▸ Search engine reconnaissance 
 (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ 
 DEF CON 25 Demo Labs (2017) 
 DEF CON 27 AI Village (2019) 
 CODE BLUE (2017, 2019) 
 CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ Tor -- The Onion Router 
 →μʔΫ΢ΣϒͷҰछ

   
 ʢಗ໊ੑͷߴ͍Webۭؒʣ ▸ ಛੑ ▸ ઀ଓઌ͝ͱʹܦ࿏Λม͑Δ ▸ ֓Ͷ10෼͝ͱʹܦ࿏Λ࠶ߏங ▸ bridge΋࢖༻Մೳ ▸ ઀ଓ͸torproxy (SOCKS5) Image by The Tor Project, CC BY 3.0 US

7. TEXT BACKGROUND ▸ Tor Browser ▸ Firefox ESRͱtorproxyͷόϯυϧ ▸ bridgeͳͲ΋௚઀࢖༻Մೳ

   ▸ ࠓ࢖͍ͬͯΔܦ࿏͸ৗʹ֬ೝՄೳ ▸ ࠶ߏஙՄೳ ▸ ࣄ্࣮ઐ༻ͷϒϥ΢β

8. TEXT BACKGROUND ▸ ී௨ͷ fi refoxͰ΋ܨ͛ΔͷͰ͸ʁ ▸ ΋ͪΖΜܨ͕Δ͔͠΋଎͍ ▸ ܦ࿏͸֬ೝͰ͖ͳ͍͕SIGHUPͰ࠶ߏஙՄ

9. TEXT BACKGROUND ▸ ެࣜͷTor Browser ▸ Firefoxʹൺֱͯ҆͠શੑΛڧԽ͍ͯ͠Δ ▸ ҆શੑͱ͸ʁ ▸

   ࠓʹ͓͍ͯ΋࢖͏ҙຯ͕͋Δͷ͔ʁ

10. TEXT TAILORED TO THE DARK WEB? ▸ ެࣜͷTor Browser ▸

    TrackingͱSurveillanceΛ೦಄ʹஔ͍͍ͯΔ ▸ Block Trackers ▸ Defend Against Surveillance ▸ Resist Fingerprinting ▸ Multi-layered Encryption

11. TEXT PILLARS OF PRIVACY ▸ 2ຊͷେے [1] 
 https://2019.www.torproject.org/projects/ torbrowser/design/

    ▸ Cross-Origin Identi fi er Unlinkability ▸ ࣝผࢠΛ࣋ͪճΕͳ͍Α͏ʹ ▸ Cross-Origin Fingerprinting Unlinkability ▸ ࣗݾಉҰੑΛ࣋ͪճΕͳ͍Α͏ʹ

12. TEXT PILLARS OF PRIVACY ▸ fi ngerprint͞ΕΔͱ… ▸ ߦಈ͕ಛఆ͞ΕΔՄೳੑ ▸

    ෺ཧత৔ॴ͕ಛఆ͞ΕΔՄೳੑ 
 ʢe.g. ػثͷྲྀ௨ܦ࿏ͳͲ͔Βʣ ▸ ϓϥΠόγʔʹͱͬͯ͸ڴҖ Image by Andrew Gustar on flickr, CC-BY-ND 2.0

13. TEXT CROSS-ORIGIN IDENTITFIER UNLINKABILITY ▸ First-party Isolation 
 privacy. fi

    rstparty.isolate = true ▸ Cookie/Storage/Cache entryͳͲʹ΋ 
 Origin (→1p) ͰείʔϓԽɺ؀ڥ͝ͱ෼཭͢Δ ▸ طʹSOPنఆ͕͋Δ΋ͷʹ͍ͭͯ΋είʔϓԽ 
 →double keying Image by gufm on flickr, CC-BY-NC-ND 2.0

14. TEXT CROSS-ORIGIN IDENTITFIER UNLINKABILITY ▸ ... Cookie, Cache, Storage, Authorization,

    
 TLS session ID, Shared Workers, HTTP/2※, redirectͷڧ੍, window.name, auto fi ll, HSTS/ HPKP, broadcast, OCSP, favicon, media source, prefetch, permissions API 
 
 ※HTTP/2͸ࠓͷϏϧυͰ͸ޮ͍͍ͯΔ Image by gufm on flickr, CC-BY-NC-ND 2.0

15. TEXT CROSS-ORIGIN IDENTITFIER UNLINKABILITY ▸ ໰୊఺: social loginͳͲ͕Ͱ͖ͳ͍ 
 →ରॲΛఏڙ͍ͯ͠Δ͕ɺμϝͳ΋ͷ΋͋Δ

    
 privacy. fi rstparty.restrict_opener_access, privacy. fi rstparty.block_post_message etc. ▸ ࣮࣭తʹtorͰ͸࢖ΘΕͳ͍ Image by jason wilson on flickr, CC-BY-SA 2.0

16. TEXT CROSS-ORIGIN FINGERPRINTING UNLINKABILITY ▸ Resist Fingerprinting 
 privacy.resistFingerprinting =

    true ▸ ಉ࣭Խ͢Δ͜ͱͰFingerprinting΁఍߅͢Δ ▸ ҎԼ੍໿: 
 canvasσʔλਫ਼౓, timerਫ਼౓, performance API, ඳ ըྖҬ (letterboxing)※, gamepad API, TZ0, ωοτ ϫʔΫ৘ใ, ηϯαྨ, Geolocation API etc. ▸ ※΢Οϯυ΢΋ਖ਼ํܗʹͳΔ 
 ʢεΫϦʔϯαΠζͷอޢʣ Image by Tricia on flickr, CC-BY 2.0

17. TEXT CROSS-ORIGIN FINGERPRINTING UNLINKABILITY ▸ randomizeͰ͸μϝͳͷ͔ʁ 
 →ฐ֐: ޓ׵ੑͷഁյɾ߈ܸՄೳੑͷॿ௕ etc.

    Image by Tricia on flickr, CC-BY 2.0

18. TEXT UPLIFTING ▸ લ͸Tor Browser͕ಠࣗʹ࣮૷͍͕ͯͨ͠… 
 ύον؅ཧ͕໘౗ʹͳͬͯupstream΁ ▸ Project Tor

    Uplift [M1/M2/M3] 
 →Firefox 52..59Ͱ΄΅Ϛʔδ͞Εͨ 
 (Tom Ritter et al.)

19. TEXT UPLIFTED! ▸ First Party Isolation (>=52) 
 privacy. fi

    rstparty.isolate = true 
 →Enhanced Tracking Protection Strict Mode (>=86) … ઃఆ஋͸࢒͍ͬͯΔͷͰएׯٙ໰ɻ 
 → https://developer.mozilla.org/en-US/docs/ Web/Privacy/State_Partitioning ▸ Resist Fingerprinting (>=59) 
 privacy.resistFingerprinting = true 
 →΢Οϯυ΢͸ਖ਼ํܗʹͳΔ͕letterboxing͸… 
 → https://wiki.mozilla.org/Security/ Fingerprinting Image by Frans on flickr, CC-BY-NC-ND 2.0

20. TEXT UPLIFTED! .. WITH OTHER SETUP ▸ ଞͷઃఆ… ▸ Permanent

    Private Browsing ▸ Extension: NoScript, uBlock Origin, Decentraleyes ▸ ҎԼઃఆ: 
 - Home: Blank 
 - Search engine: DuckDuckGo 
 - ༗ޮԽ: HTTPS Only ModeʢશҬʣ 
 - ແޮԽ: Search suggestions, Safe browsing, OCSP query, Firefox Data Collection and Useܥ, 
 Spellcheck, DRM, auto updates, extensions/feature recommendation, breached passwords reminder Image by Frans on flickr, CC-BY-NC-ND 2.0

21. TEXT READY TO ENTER THE DARK WORLD? ▸ ͜ΕͰtorͱಉ౳ͷอޢ͕ఏڙ͞Ε͍ͯΔͷ͔ʁ Image

    by Antonino SCIMECA on flickr, CC-BY 2.0

22. TEXT READY TO ENTER THE DARK WORLD? ▸ tor browser͸

    fi ngerprintʹڧ͍ͷ͔ʁ ▸ ݱ୅ͷFPI+RFPͱൺ΂ͯͲ͏͔ʁ ▸ ad-blockerͳͲ͸͍Βͳ͍ͷ͔ʁ 
 ʢೖΕΔͳͱ΋ݴ͍ͬͯΔʣ ▸ ݕূ͠·͠ΐ͏ Image by Tim Cummins on flickr, CC-BY-NC-ND 2.0

23. TEXT TEST (NON-JS) ▸ Am I Unique? 
 amiunique.org ▸

    fi ngerprintͱ߹க͢Δσʔλ਺Λग़ྗ͢Δ 
 →ఆੑతʹ͸ଟ͍ํ͕ྑ͍ 
 →torͱൺֱ͍ͯ͠ΔͷͰಉ਺͕ΰʔϧ

24. TEXT FINDINGS (NON-JS) ▸ Tor Browser ▸ No (~7200)

25. TEXT FINDINGS (NON-JS) ▸ Firefox 111.0b6 + FPI + RFP

    ▸ Almost (~6) ▸ User-Agent ▸ DNT: 1

26. TEXT FINDINGS (NON-JS) - PATCH ▸ Firefox 111.0b6 + FPI

    + RFP ▸ Almost (~6) ▸ User-Agent 
 →extension: Custom User-Agent String 
 (Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0) ▸ DNT: 1 
 →extension: Modify Header Value 
 (DNTΛ࡟আ)

27. TEXT FINDINGS (NON-JS) - PATCHED? ▸ Firefox 111.0b8 + FPI

    + RFP + Header Tweaks ▸ No (~7200) : tor browserͱಉ౳…ʁ

28. TEXT FINDINGS (NON-JS) - PATCH, II ▸ telemetry!!! ▸ ҎԼΛ

    "data:;" ʹ ▸ browser.newtabpage.activity- stream.telemetry.structuredIngestion.endpoi nt ▸ toolkit.telemetry.server

29. TEXT FINDINGS (NON-JS) - PATCHED ▸ Firefox 111.0b8 + FPI

    + RFP + Header Tweaks ▸ No (~7200) : tor browserͱಉ౳ 
 →ඇJS؀ڥͰ͸ଟ෼໰୊ͳ͍

30. TEXT TESTING (JS) ▸ Am I Unique? 
 amiunique.org ▸

    TorZillaPrint 
 https://arkenfox.github.io/TZP/index.html 
 (GeckoܥʹಛԽͨ͠ fi ngerprinting)

31. TEXT FINDINGS (JS) ▸ Tor Browser ▸ amiunique: Yes!!! ▸

    Canvas ExtractionΛϒϩοΫͨ͠ϊΠζ 
 →༧ఆௐ࿨; ϥϯμϜͳͷͰಛʹ໰୊ͳ͠ ▸ ͦͷଞ͸… 
 useragent (JS): ϓϥοτϑΥʔϜʢʂʣ 
 ϑΥϯτ਺, navigatorϓϩύςΟ਺, screenWidth, screenHeight etc.

32. TEXT FINDINGS (JS) ▸ Firefox 111.0b8 + FPI + RFP

    + Header Tweaks ▸ amiunique: Yes!!! ▸ Canvas ExtractionΛϒϩοΫͨ͠ϊΠζ ▸ useragent (JS): ҧ͏஋ʢʂʣ 
 ϑΥϯτ਺: ࣮ࡍͷ஋ʢʂʣ 
 screenWidth: ࣮ࡍͷ஋ʢʂʣ 
 screenHeight: ࣮ࡍͷ஋ʢʂʣ 
 navigatorϓϩύςΟ਺: CredentialManagerྨ 
 permission: WebMIDIͳͲͷଘࡏ 
 media-devices: ϋʔυ΢ΣΞߏ੒ʢʂʣ 
 WebGLܥ: ͦͦ͜͜ͷϋʔυ΢ΣΞߏ੒ʢʂ˞ʣ etc.

33. TEXT FINDINGS (JS) - PATCH ▸ screenWidth/screenHeight 
 privacy.resistFingerprinting.letterboxing =

    true 
 ※௥Ճͷඞཁ͋Γ ▸ WebGLܥ (ग़ͯ͘Δ৔߹) 
 webgl.disabled = true 
 webgl.enable-webgl2 = false

34. TEXT FINDINGS (JS) - PATCHED ▸ Firefox 111.0b8 + FPI

    + RFP + Header Tweaks ▸ amiunique: Yes!!! ▸ Canvas ExtractionΛϒϩοΫͨ͠ϊΠζ ▸ useragent (JS): ҧ͏஋ʢʂʣ 
 ϑΥϯτ਺: ࣮ࡍͷ஋ʢʂʣ 
 navigatorϓϩύςΟ਺: CredentialMan.ྨ 
 permission: WebMIDIͳͲͷଘࡏ 
 media-devices: ϋʔυ΢ΣΞߏ੒ʢʂʣ

35. TEXT FINDINGS (JS) - PATCHED ▸ Firefox 111.0b8 + FPI

    + RFP + Header Tweaks ▸ amiunique: Yes (๷ޚ͖͠Εͳ͍) 
 →JS؀ڥͰ࢖༻͢Δͷ͸ਪ঑͠ͳ͍

36. TEXT FINDINGS (JS, 2) ▸ Tor Browser ▸ TZP: Gecko,

    Firefox 102, build switch (?)

37. TEXT FINDINGS (JS, 2) ▸ Firefox 111.0b6 + FPI +

    RFP + Header Tweaks ▸ TZP: Gecko, Firefox 111 (!), build switch (!)

38. TEXT FINDINGS (JS, MISC) ▸ Letterboxing bypass: #1450401 et al.

    ▸ શը໘ϞʔυͰεΫϦʔϯαΠζ͕औΕΔ 
 (NB: Tor Browserʹ΋༗ޮʂ) 
 https://bugzilla.mozilla.org/ show_bug.cgi?id=1450401

39. TEXT TAKEAWAYS ▸ ݱঢ়ͷFirefoxͰ΋FPI + RFPͰ͋Δఔ౓ؾΛ͚ͭ ͯ૊Ί͹ඇJS؀ڥʹ͓͍ͯ͸ଟ෼໰୊ͳ͍ ▸ JS؀ڥͰ͸௨༻͠ͳ͍; Tor

    Browser͕ඞਢ 
 ※uBlock OriginͳͲ͸ଟ෼͋ͬͨ΄͏͕ྑ͍; 
 Θ͟Θ͟౿·ͳͯ͘΋ྑ͍΋ͷ͸ճආ͍ͨ͠ ▸ JSʹ͸஫ҙ 
 SafestϞʔυ΍NoScript༗ޮ͕جຊ Image by jakes_brick_hoard on flickr, CC-BY-NC-ND 2.0

40. TEXT TAKEAWAYS ▸ ଟ෼͜ͷ͘Β͍͸෼͔Δ 
 CPU archʢARM/x86/x86_64ʁʣ, Platform ʢMac/Linux/Windowsʣ, Base

    build, ख੡ͩͱ build switch͔ΒCPUͷੈ୅ etc. ※Gentooer͸ ಛʹ஫ҙ ▸ ʴεΫϦʔϯαΠζͰػछಛఆͷՄೳੑ্ঢ 
 → શը໘Ϟʔυʹ͸ॏͶͯ஫ҙ ▸ amiunique: RFPӨڹԼͰ͸unique͸ී௨ Image by jakes_brick_hoard on flickr, CC-BY-NC-ND 2.0

41. ONE MORE THING.. Image by Chris Pirillo on flickr, CC-BY-NC-ND

    2.0

42. TEXT GUARD NODE? ▸ Guard node͸҆શͳͷ͔ʁ 
 →҆શͰ͸ͳ͍ͱࢥ͏ ▸ ͳͥͳΒ:

    ▸ public relay list͔Β଎౓ͱ҆ఆੑΛݩʹબఆ 
 ӡ༻͸ίϛϡχςΟͷࣗড়࡞༻ʢ㲈૬ޓ؂ࢹ/ີࠂʣ ▸ relayʹ͸୭΋͕ొ࿥Ͱ͖Δ; ৹ࠪͳͲ͸ಛʹͳ͍ 
 →ਓւઓज़͕༗ޮʂ※ͨ·ʹ͋Δ ▸ ࣗલ͋Δ͍͸৴པͰ͖ΔbridgeʹΑΔࣗӴ͕ඞཁ

43. STAY SAFE! Image by KaCey97078 on flickr, CC-BY-NC 2.0

44. FIN. 28.2.2023 TAKAHIRO YOSHIMURA (@ALTERAKEY) Image by Andrew on flickr,

    CC-BY-NC-ND 2.0