How to run your code on the dark web (15m version)

Transcript

1. How to run your code on the dark web (and

   why you should)

2. Me. I’m Luke. I’m a web dev. I work on

   Privacy & Security. I click thru slides really fast. Twitter: @groovecoder speakerdeck.com/groovecoder 2

3. How to run your code on the dark web (and

   why you should)

4. How to run your code on the dark web (in

   15 minutes)

5. How to run your code on the dark web and

   why you should

6. How to write your code for the dark web and

   why you should

7. How to write your code for and why you should

8. is a browser

9. is a browser mostly

10. is a browser patched

11. is a browser patched with The Onion Router

12. patched with The Onion Router Why is ?

13. https://www.eff.org/pages/tor-and-https

14. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

15. https://www.eff.org/pages/tor-and-https Location = IP Address

16. protects the user/pw & data from the intermediaries

17. https://www.eff.org/pages/tor-and-https

18. None
19. None
20. None
21. None
22. None

23. IP, DNS, & HTTP threats • Hackers-in-the-middle • ISPs snooping

    on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

24. How do we protect
 location + destination from intermediaries?

25. is a browser patched with The Onion Router

26. The Onion Router?

27. https://www.torproject.org/about/overview.html.en

28. https://www.torproject.org/about/overview.html.en

29. None
30. None
31. None
32. None
33. None

34. Tor protection from DNS + HTTP internet threats • Hackers-in-the-middle

    • ISPs snooping on customers’ online activity • Governments censoring sites • Corporations scanning web logs for their competitors’ IP addresses • Criminal sites scanning web logs for law enforcement IP address

35. How to write your code for

36. Since Tor routes thru 3 networks …

37. Optimize for latency (You should do this anyway)

38. Minimize number of requests (You should do this anyway)

39. Help the browser with Resource hints (You should do this

    anyway) https://w3c.github.io/resource-hints

40. Good caching

41. Make CDN work with exit nodes

42. Come to to learn more!

43. Yay! Your site is faster for users

44. Oh noes! All your users are hacked!

45. Remember these?

46. https://www.torproject.org/about/overview.html.en

47. Tor Encryption https://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/

48. Tor Encryption https://jordan-wright.com/blog/2015/02/28/how-tor-works-part-one/ Note: exit nodes can see the Original

    Data

49. hacked

50. hacked hacked hacked hacked

51. exit node threats = Man-in-the-Middle threats • exit node snooping

    on unencrypted data:
 user/password, PII, etc. • Hook browsers with BeEF • Backdoor binaries
52. None

53. protects the location, destination, user/pw, & data from the intermediaries

54. Use HTTPS (OMG you should do this anyway!)

55. https://speakerdeck.com/groovecoder/top-5-security-errors-we-see-from-firefox-and-how-to-fix-them

56. +

57. None
58. None

59. Yay! Your code is faster and more secure for users

60. Oh noes! Your code is broken in

61. is a browser patched

62. is a browser patched ESR

63. None

64. Firefox ESR

65. Make your code work in Firefox ESR (You should do

    this anyway)

66. Make your code work in all browsers! (You should do

    this anyway)

67. Download ESR

68. Firefox Dev Tools!

69. Come to to learn more!

70. Oh noes! Some of your code is still broken in

71. Why is patched ESR

72. Adversary Model guides Implementations

73. Fingerprint

74. Tor Implementation: Cross-Origin Fingerprinting Unlinkability

75. https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/000-tor-browser.js?h=tor-browser-52.2.0esr-7.5-1&id=dda0385cc49240f8bd115476c870d61863741f4c Minimal WebGL No Gamepads Popups open into new tabs

    UTC timezone No device sensors No WebAudio Windows 7

76. To really debug everything …

77. Download Tor !

78. Tor Dev Tools!

79. Oh noes! Some of your code is STILL broken in

80. Come to to learn more!

81. Summary • Optimize for latency • Make it work in

    Firefox (ESR) • (Optional) WITHOUT:
 JavaScript, MathML, SVG, Web Fonts

82. Writing code for makes your code better for everyone!

83. Yay! Your code works* fast* and secure* for users *

    for some definition of “works|fast|secure”

84. Oh noes! YOU are pwned

85. Oh noes! YOU are pwned if YOU were trying to

    stay anonymous

86. Now we’re (finally) to the dark web

87. https://www.bibliotecapleyades.net/sociopolitica/sociopol_internet214.htm

88. https://www.quora.com/What-is-the-deep-dark-web-and-how-do-you-access-it

89. https://www.eff.org/pages/tor-and-https Location = IP Address

90. https://www.eff.org/pages/tor-and-https Location = IP Address

91. None

92. How do you set up ? Site.com

93. https://domain.me/how-domain-names-work/

94. https://domain.me/how-domain-names-work/

95. https://whois.icann.org/en/domain-name-registration-process

96. Not Anonymous

97. Not Anonymous

98. How do you set up anonymously? Site.com

99. You set up Site.onion

100. is a Tor Hidden Service Site.onion

101. a Tor Hidden Service uses a “rendezvous protocol” instead of

     DNS

102. https://www.torproject.org/docs/hidden-services.html.en

103. https://www.torproject.org/docs/hidden-services.html.en

104. https://www.torproject.org/docs/hidden-services.html.en

105. https://www.torproject.org/docs/hidden-services.html.en

106. https://www.torproject.org/docs/hidden-services.html.en

107. https://www.torproject.org/docs/hidden-services.html.en

108. Rendezvous Point

109. But since
 Tor hidden services hop thru 6 nodes …

110. … really, Optimize for latency (You should do this anyway)

111. Optimize for latency • Minimize Requests • Prefer fewer, larger

     asset bundles • Use CSS Sprites for images • Use Data URIs for small images • Use Icon Fonts • Use Resource Hints • Good caching • Allow CDN access from Tor nodes

112. is easy to set up! Site.onion

113. 1. Run a web server 2. Edit your torrc file

     3. Run tor Site.onion
114. None

115. torrc

116. None
117. None
118. None
119. None

120. Yay! Your .onion is working!

121. Oh noes! You are still hacked identified!

122. Come to to learn more! • OnionScan • Anonymous Email

     • EXIF data in images • Server fingerprinting • “Rotten Onions” attacks • (maybe: hacking nazis on the dark web?)

123. Why you should write code for the dark web

124. Writing code for the dark web is fun

125. Writing code for the dark web makes your code better

126. Writing code for the dark web makes your code better

     faster more secure more compatible

127. Writing code for the dark web makes your code better

     think

128. Writing code for the dark web makes your code better

     about your privacy think

129. Writing code for the dark web makes your code better

     about your privacy think others’

130. http://www.slate.com/articles/technology/future_tense/2017/07/women_young_people_experience_the_chilling_effects_of_surveillance_at_higher.html

131. –Trisha Salas @ Thunder Plains 2016 “I want to try

     Tor … but I heard it puts you on some kind of list … and I plan to travel soon.”

132. –me “I have done many weird things with/on Tor and

     I’ve had no problems traveling.”

133. Download Tor !

134. Set up a hidden service

135. “Privacy by Design” https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/

136. Privacy Guidelines for Designing Personalization https://www.smashingmagazine.com/2016/03/privacy-for-personalization/

137. Come to to learn more! speakerdeck.com/groovecoder Twitter: @groovecoder