SlideShare una empresa de Scribd logo
1 de 79
Descargar para leer sin conexión
setting up
.onion addresses
…for your website enterprise

v3.5 - @alecmuffett 2018
hi!
BBC Radio 4, circa 2012
<cyber type="ominous"/>
"awesome!"
"dark net" not as
scary as advertised
<years n=2/>
Setting Up .Onion Addresses for your Enterprise, v3.5
<years n=2/>
<downshift/>
<bored/>
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5
why .onion?
• you have a community, or you have an audience

• for some, ability to access content is hampered

• for some, risk of fake websites, credential theft,

or political repercussions for accessing content

• for some, privacy, assurance & trust is paramount
social value of .onion?
• greater assurance

• facebookcorewwwi.onion => genuine facebook

• greater availability & privacy

• .onion => hard to block/surveil (if sometimes a little flaky)

• fewer digital footprints
• people using onions are perforce using tor browser

• tor browser is generally better at data "hygiene"
tech value of .onion?
<see second half of presentation>
desktop? mobile? both?
• Mac / Win / Linux
• tor browser (integrated tor + custom-tuned firefox)

• Android
• orbot (tor) + orfox (browser)

• iOS
• onion browser (integrated)
• other iOS in progress
Setting Up .Onion Addresses for your Enterprise, v3.5
what is .onion?
"the top level domain name

for the onion namespace"
what is a namespace?
• namespace is "an address + what it means/looks like"

• ipv4 addresses look like: 192.168.1.1

• ipv6 addresses look like: fe80::226:21ff:fed8:fbc2

• dns addresses look like: www.foo.com

• onion addresses look like: ylzpg2givhwizoep.onion
how do addresses work?
• all these addresses can be typed into a web browser:

• http://192.168.1.1/- ipv4, supported everywhere

• http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable

• http://www.foo.com/ - dns, supported everywhere

• http://ylzpu2givhwizoep.onion/ - needs a Tor browser

• …they all connect you to a remote computer
how is .onion unusual?
• "under the bonnet", an onion is a raw network address

• …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2

• but: formatted like a traditional dns domain name

• ".onion" looks like ".com" or ".co.uk"

• this means browsers treat the addresses equitably

• including subdomains: www.facebookcorewwwi.onion
“subdomains”

on a network address?!?
• yes! this would never work with ipv4 …

• www.192.168.1.1 would not mean anything sensible

• but www.facebookcorewwwi.onion is meaningful to HTTP

• …still means facebookcorewwwi.onion

• …the "www." bit is transported in the Host: header

• thus: standard HTTP/HTML/browser behaviour
how do you

choose addresses?
• ipv4 addresses: you take what you are given (eg: DHCP)

• ipv6 addresses: ditto (mostly)
• dns addresses: you choose a name, & register it
• …unless someone beats you to it…

• onion addresses: get a random one, or else "mine" one

• more mining => "better quality"
howto: arbitrary traffic?
HiddenServiceDir /var/lib/tor/onion-1
# => random onion address in "hostname" file
HiddenServicePort 22 127.0.0.1:22
Server: /etc/tor/torrc
Host my-onion
HostName xxxxxxxxxxxxxxxx.onion
ProxyCommand= nc -x localhost:9150 %h %p
# 9150 => builtin SOCKS5 in local TorBrowser
Client: ~/.ssh/config
software-defined
listening port number
howto: password-protect

onion network interfaces?
Server: /etc/tor/torrc
…yields: the following hostname file
how to serve
.onion websites?
3 options…
1. dedicated server
• you have a dedicated web server, and it…

• is configured to know about its onion address

• essentially runs as a standalone service

• perhaps serves duplicate content ?
2. onion-aware CMS
• you have a web server, and it…

• serves content to .com, .co.uk, .in, …

• why not just add yet another domain name?

• tag requests arriving from .onion reverse proxy

• ensure that tagged requests are consistently
responded-to, citing only your onion address(es)
3. onion shim
• you have a web server, and it…

• primarily serves content as (say) nytimes.com

• install a shim between it and the tor reverse proxy…

• shim bidirectionally rewrites requests & responses

• nytimes.com <=> nytimes3xbfgragh.onion
• custom engineering, or EOTK / Enterprise Onion Toolkit

open-source shim for enterprise onions
examples

(or: implement a blend…)
1. dedicated onion server (eg: various SecureDrop sites)
• use-case dependent, probably involves anonymity

2. onion-aware CMS (eg: Facebook)
• excellent for primarily-dynamically-generated content

• modest engineering, ongoing commitment, can be 100% solution

3. onion shim EOTK (eg: NYT)
• onionifies all content, including static or static/dynamic mix

• minimal/zero engineering, some edge cases, 95..99%+ solution
implementation tips
• don't forget to onionify your CDNs where possible

• try to avoid content-leakage between domains

• accidentally wandering-off to the cleartext/.com site

• e.g. OAuth redirects, tracker embeds…

• use horizontal load-balancing for scale

• free solution: OnionBalance (EOTK supports)

• onions (even via shim) are generally faster for Tor
nits
• you will almost certainly need to buy a special HTTPS cert

• cost: probably from mid $$$ to low $$$$
• plus: associated paperwork & faff

• if you take payments / subscriptions?

• you may want to restrict access to payments over tor?

• payment providers often block tor, this can sometimes
lead to poor user experiences…
TECH?
Onion Networking

as a Layer-3 Network
How IP→Ethernet Works
• Server: publishes mapping of IP to MAC address

• Gratuitous ARP → populate ARP tables
• Client: resolves mapping of IP to MAC address

• Checks local ARP table (or makes ARP query)

• Client: issues Ethernet frames to MAC address

• Frames transport packets yielding TCP connections
How Onion→IP Works
• Server: publishes mapping of Onion to IP address

• Descriptor Publication → populate HSDir DHT Ring

• Client: resolves mapping of Onion to IP address

• Checks HSDir DHT Ring (source of truth)

• Client: issues TCP connection to Tor relay

• Connections transport Tor cells yielding Tor circuits
Important Takeaways
1) TCP/IP is the

L2 "data-link layer"
of Onionspace
# OSI Name Internet Onion
7 Application https, ssh, etc… https, ssh, etc…
6 Presentation socket* socks5 proxy
5 Session tcp/udp socket* tcp socket via socks5
4 Transport tcp/udp protocol tcp circuit
3 Network packet to IP addr cell to Onion addr
2 Data Link frames/MAC/LLC cells over tcp
1 Physical bit bit
2) Onionspace is flat
Onion-flattyness
• NAT/Firewalls are not an issue
• Connections pretend to be direct, local-network TCP.

• Services & Ports are published, not ad-hoc/promiscuous

• Onionspace port-scanning is restricted to services
and ports which are published by the owners:

• HiddenServicePort 44422 localhost:22

• "consent-based networking", cf: NSAPs in X.25 ?
(2018 - 1994) + 13 = 37
Returning to the
disintermediated

end-to-end Internet
3) Onionspace is
circuit-switched
Circuit-switchyness
• Long-term circuits between client/server are established

• Traffic tunnels over circuits

• A bit like X.25 Networking
• sometimes circuits break

• but then, so does TCP (i.e.: RST)

• Circuits may carry multiple TCP/IP streams, be reused

• Presentation: as a SOCKS5 relay
4) Rendezvous,

not Client-Server
1 server sets up introduction point
2 server publishes descriptor
3 client looks-up descriptor / intro-point
4a client sets up rendez-point
4b client tells server "meet me at rendez-point"
5 data exchanged via circuit via rendez
"Rendezvous",

a safer "Client-Server"
Server
HSDir DHT Ring
Client
Introduction Point
Tor
"Cloud"
2
1
4b
3
4a5
Rendezvous Point
nb: all connections established 

"outbound" through the firewall(s);
server can live in "enclave"
firewallfirewall
"Rendezvous" at L7?
• All this is hidden behind SOCKS5 for app presentation

• Your app thinks that it is talking to a TCP/IP stream
• Truth = more complex
5) Introduction points
have redundancy,
transience and
migrate globally,
leading to…
high-availabilityness (H/A)
• DDoS Resistance
• Harder to hit a moving target, key resources "at 1+ remove"

• Built-in "GSLB" (global server load balancing)

• You have little control of where Introduction, or Rendezvous Points
are created, but they are distributed globally
• Servers can be replicated globally, too; flatness = simpler

• "DNSRR" equivalent (DNS Round Robin)

• "OnionBalance" enables recombination of descriptors, shares load
over servers like DSR (direct server return); or full H/A replicas
6) self-authentication
self-authenticatingness
• Onion addresses are literally cryptographically-trustable
layer-3 network addresses

• If you type the address correctly, you are guaranteed to be
communicating with someone who has the private key

• Built-in IPsec ESP and AH

• No PSK hassle

• No CA hassle

• No revocation, no X.509, no OpenSSL, no faff…
7) …and finally…
BGP-Hijack Resistance
• Tor is an over-the-top meta-network

• It doesn't much care what's happening at the IP layer
If you remember one thing:
• Tor "treats censorship as damage, and routes around it"

• literally its raison d'être…

• …with all these hostile actors it's actually pretty good at
(eventually) routing around damage of any kind.

• Wasn't the Internet supposed to do this anyway?

• Maybe we just got too used to reliable networks?
The Downsides?
Downside 1:

latency, lag, circuit drops
"good enough for the
right kinds of workload"
Four Major Types Of

Established Tor Connection
Rendezvous
Rendezvous
TorBrowser MiddleGuard WebsiteExit
Rendezvous
TorBrowser MiddleGuard Middle1 Guard Onion
OnionMiddle1 GuardBrowser Tor2web
TorBrowser MiddleGuard Onion
Browsing Normal Web Over Tor
Browsing Onion Site Over Tor
Browsing Onion Site From Normal Client Using Tor2web (bad idea)
Browsing Single-Hop Onion Site (Facebook, NYT, …)
single hop
single hophttp
Protected only by HTTPS, if that...
Middle2
Middle2
Chosen by Client Chosen by Server
nb:TorBrowser is simply

a normal browser with 

embedded Tor software
nb: Onion site is simply

a normal website with 

bonded Tor software
Tor as Web CDN: Normal vs Onion
TorBrowser MiddleGuard WebsiteExit
RendezvousTorBrowser MiddleGuard Onion
CDN Normal Web Over Tor
CDN Single-Hop Onion Site
Chosen by Client Chosen by Server
Website
X: exit node to webserver
Y: onion to rendezvous
Z: link to webserver →
congestion
shim / revproxyfast
Generally: (Y+Z) < X
(less is better)
Downside 2:

Learning New Stuff
Learning New Stuff
• Tor is not TCP/IP (but feels similar)

• Tor is not an in-kernel network

• userspace daemons

• config files, not ifconfig

• Tor is evolving

• Just like TCP/IP was in 1992
Example: Wikipedia
Setting Up .Onion Addresses for your Enterprise, v3.5
entire config file:
eotk
config
file
resulting tor config
resulting nginx config
resulting nginx config
experiment works!
then: DoS Attack!
<code/>
Setting Up .Onion Addresses for your Enterprise, v3.5
fixed (enough)
Wikipedia Experiment
• Why?

• Short-term test to prove the concept

• Cheap, low resource-usage, borrowed hardware

• Was DoS'd by <some asshole with bots>

• Sustained few-hundreds of hits per second

• Hardly noticeable impact on single quad-core server
video:

performance test
tip: long video,
questions welcome…
onion Tor vs: plain Tor
for deck PDF,

twitter search:

from:alecmuffett "nluug slides"
...will be posted later today

Más contenido relacionado

La actualidad más candente

CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkChristopher Grayson
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 cccDan Kaminsky
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege EscalationSunny Neo
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowNovell
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficSam Bowne
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Dan Kaminsky
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI MattersAPNIC
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesSam Bowne
 

La actualidad más candente (20)

CableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home NetworkCableTap - Wirelessly Tapping Your Home Network
CableTap - Wirelessly Tapping Your Home Network
 
Grey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache PoisoningGrey H@t - DNS Cache Poisoning
Grey H@t - DNS Cache Poisoning
 
BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet BlueHat v17 || Disrupting the Mirai Botnet
BlueHat v17 || Disrupting the Mirai Botnet
 
Dmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fedDmk bo2 k8_bh_fed
Dmk bo2 k8_bh_fed
 
Dmk blackops2006
Dmk blackops2006Dmk blackops2006
Dmk blackops2006
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Dmk blackops2006 ccc
Dmk blackops2006 cccDmk blackops2006 ccc
Dmk blackops2006 ccc
 
Confidence web
Confidence webConfidence web
Confidence web
 
Dmk bo2 k8
Dmk bo2 k8Dmk bo2 k8
Dmk bo2 k8
 
DNS Cache White Paper
DNS Cache White PaperDNS Cache White Paper
DNS Cache White Paper
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
 
I See You
I See YouI See You
I See You
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)Black Ops of TCP/IP 2011 (Black Hat USA 2011)
Black Ops of TCP/IP 2011 (Black Hat USA 2011)
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network SignaturesPractical Malware Analysis Ch 14: Malware-Focused Network Signatures
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
 

Similar a Setting Up .Onion Addresses for your Enterprise, v3.5

Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5Alec Muffett
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOHAPNIC
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting publicantitree
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer NetworkingAmit Saha
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Basic computers for DIU laptop project students
Basic computers for DIU laptop project studentsBasic computers for DIU laptop project students
Basic computers for DIU laptop project studentsAlauddin Azad
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 

Similar a Setting Up .Onion Addresses for your Enterprise, v3.5 (20)

Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5Setting-up a .Onion address for your Website, v1.5
Setting-up a .Onion address for your Website, v1.5
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
NZNOG 2020: DOH
NZNOG 2020: DOHNZNOG 2020: DOH
NZNOG 2020: DOH
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Web
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Introduction to Computer Networking
Introduction to Computer NetworkingIntroduction to Computer Networking
Introduction to Computer Networking
 
Part 6 : Internet applications
Part 6 : Internet applicationsPart 6 : Internet applications
Part 6 : Internet applications
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
P2P Lecture.ppt
P2P Lecture.pptP2P Lecture.ppt
P2P Lecture.ppt
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
Basic computers for DIU laptop project students
Basic computers for DIU laptop project studentsBasic computers for DIU laptop project students
Basic computers for DIU laptop project students
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Distributed "Web Scale" Systems
Distributed "Web Scale" SystemsDistributed "Web Scale" Systems
Distributed "Web Scale" Systems
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
Burp suite
Burp suiteBurp suite
Burp suite
 

Más de Alec Muffett

How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2Alec Muffett
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Alec Muffett
 
You and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetYou and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetAlec Muffett
 
Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Alec Muffett
 
How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1Alec Muffett
 
Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Alec Muffett
 

Más de Alec Muffett (6)

How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3
 
You and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetYou and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the Net
 
Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2
 
How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1
 
Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1
 

Último

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Último (20)

AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

Setting Up .Onion Addresses for your Enterprise, v3.5

  • 1. setting up .onion addresses …for your website enterprise v3.5 - @alecmuffett 2018
  • 2. hi!
  • 3. BBC Radio 4, circa 2012 <cyber type="ominous"/>
  • 5. "dark net" not as scary as advertised
  • 13. why .onion? • you have a community, or you have an audience • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
  • 14. social value of .onion? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability & privacy • .onion => hard to block/surveil (if sometimes a little flaky) • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
  • 15. tech value of .onion? <see second half of presentation>
  • 16. desktop? mobile? both? • Mac / Win / Linux • tor browser (integrated tor + custom-tuned firefox) • Android • orbot (tor) + orfox (browser) • iOS • onion browser (integrated) • other iOS in progress
  • 18. what is .onion? "the top level domain name for the onion namespace"
  • 19. what is a namespace? • namespace is "an address + what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
  • 20. how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs a Tor browser • …they all connect you to a remote computer
  • 21. how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
  • 22. “subdomains”
 on a network address?!? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www." bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
  • 23. how do you
 choose addresses? • ipv4 addresses: you take what you are given (eg: DHCP) • ipv6 addresses: ditto (mostly) • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: get a random one, or else "mine" one • more mining => "better quality"
  • 24. howto: arbitrary traffic? HiddenServiceDir /var/lib/tor/onion-1 # => random onion address in "hostname" file HiddenServicePort 22 127.0.0.1:22 Server: /etc/tor/torrc Host my-onion HostName xxxxxxxxxxxxxxxx.onion ProxyCommand= nc -x localhost:9150 %h %p # 9150 => builtin SOCKS5 in local TorBrowser Client: ~/.ssh/config software-defined listening port number
  • 25. howto: password-protect
 onion network interfaces? Server: /etc/tor/torrc …yields: the following hostname file
  • 26. how to serve .onion websites? 3 options…
  • 27. 1. dedicated server • you have a dedicated web server, and it… • is configured to know about its onion address • essentially runs as a standalone service • perhaps serves duplicate content ?
  • 28. 2. onion-aware CMS • you have a web server, and it… • serves content to .com, .co.uk, .in, … • why not just add yet another domain name? • tag requests arriving from .onion reverse proxy • ensure that tagged requests are consistently responded-to, citing only your onion address(es)
  • 29. 3. onion shim • you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and the tor reverse proxy… • shim bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • custom engineering, or EOTK / Enterprise Onion Toolkit
 open-source shim for enterprise onions
  • 30. examples
 (or: implement a blend…) 1. dedicated onion server (eg: various SecureDrop sites) • use-case dependent, probably involves anonymity 2. onion-aware CMS (eg: Facebook) • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim EOTK (eg: NYT) • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
  • 31. implementation tips • don't forget to onionify your CDNs where possible • try to avoid content-leakage between domains • accidentally wandering-off to the cleartext/.com site • e.g. OAuth redirects, tracker embeds… • use horizontal load-balancing for scale • free solution: OnionBalance (EOTK supports) • onions (even via shim) are generally faster for Tor
  • 32. nits • you will almost certainly need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus: associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • payment providers often block tor, this can sometimes lead to poor user experiences…
  • 33. TECH?
  • 34. Onion Networking
 as a Layer-3 Network
  • 35. How IP→Ethernet Works • Server: publishes mapping of IP to MAC address • Gratuitous ARP → populate ARP tables • Client: resolves mapping of IP to MAC address • Checks local ARP table (or makes ARP query) • Client: issues Ethernet frames to MAC address • Frames transport packets yielding TCP connections
  • 36. How Onion→IP Works • Server: publishes mapping of Onion to IP address • Descriptor Publication → populate HSDir DHT Ring • Client: resolves mapping of Onion to IP address • Checks HSDir DHT Ring (source of truth) • Client: issues TCP connection to Tor relay • Connections transport Tor cells yielding Tor circuits
  • 38. 1) TCP/IP is the
 L2 "data-link layer" of Onionspace
  • 39. # OSI Name Internet Onion 7 Application https, ssh, etc… https, ssh, etc… 6 Presentation socket* socks5 proxy 5 Session tcp/udp socket* tcp socket via socks5 4 Transport tcp/udp protocol tcp circuit 3 Network packet to IP addr cell to Onion addr 2 Data Link frames/MAC/LLC cells over tcp 1 Physical bit bit
  • 41. Onion-flattyness • NAT/Firewalls are not an issue • Connections pretend to be direct, local-network TCP. • Services & Ports are published, not ad-hoc/promiscuous • Onionspace port-scanning is restricted to services and ports which are published by the owners: • HiddenServicePort 44422 localhost:22 • "consent-based networking", cf: NSAPs in X.25 ?
  • 42. (2018 - 1994) + 13 = 37
  • 45. Circuit-switchyness • Long-term circuits between client/server are established • Traffic tunnels over circuits • A bit like X.25 Networking • sometimes circuits break • but then, so does TCP (i.e.: RST) • Circuits may carry multiple TCP/IP streams, be reused • Presentation: as a SOCKS5 relay
  • 47. 1 server sets up introduction point 2 server publishes descriptor 3 client looks-up descriptor / intro-point 4a client sets up rendez-point 4b client tells server "meet me at rendez-point" 5 data exchanged via circuit via rendez "Rendezvous",
 a safer "Client-Server" Server HSDir DHT Ring Client Introduction Point Tor "Cloud" 2 1 4b 3 4a5 Rendezvous Point nb: all connections established 
 "outbound" through the firewall(s); server can live in "enclave" firewallfirewall
  • 48. "Rendezvous" at L7? • All this is hidden behind SOCKS5 for app presentation • Your app thinks that it is talking to a TCP/IP stream • Truth = more complex
  • 49. 5) Introduction points have redundancy, transience and migrate globally, leading to…
  • 50. high-availabilityness (H/A) • DDoS Resistance • Harder to hit a moving target, key resources "at 1+ remove" • Built-in "GSLB" (global server load balancing) • You have little control of where Introduction, or Rendezvous Points are created, but they are distributed globally • Servers can be replicated globally, too; flatness = simpler • "DNSRR" equivalent (DNS Round Robin) • "OnionBalance" enables recombination of descriptors, shares load over servers like DSR (direct server return); or full H/A replicas
  • 52. self-authenticatingness • Onion addresses are literally cryptographically-trustable layer-3 network addresses • If you type the address correctly, you are guaranteed to be communicating with someone who has the private key • Built-in IPsec ESP and AH • No PSK hassle • No CA hassle • No revocation, no X.509, no OpenSSL, no faff…
  • 54. BGP-Hijack Resistance • Tor is an over-the-top meta-network • It doesn't much care what's happening at the IP layer
  • 55. If you remember one thing: • Tor "treats censorship as damage, and routes around it" • literally its raison d'être… • …with all these hostile actors it's actually pretty good at (eventually) routing around damage of any kind. • Wasn't the Internet supposed to do this anyway? • Maybe we just got too used to reliable networks?
  • 58. "good enough for the right kinds of workload"
  • 59. Four Major Types Of
 Established Tor Connection Rendezvous Rendezvous TorBrowser MiddleGuard WebsiteExit Rendezvous TorBrowser MiddleGuard Middle1 Guard Onion OnionMiddle1 GuardBrowser Tor2web TorBrowser MiddleGuard Onion Browsing Normal Web Over Tor Browsing Onion Site Over Tor Browsing Onion Site From Normal Client Using Tor2web (bad idea) Browsing Single-Hop Onion Site (Facebook, NYT, …) single hop single hophttp Protected only by HTTPS, if that... Middle2 Middle2 Chosen by Client Chosen by Server nb:TorBrowser is simply
 a normal browser with 
 embedded Tor software nb: Onion site is simply
 a normal website with 
 bonded Tor software
  • 60. Tor as Web CDN: Normal vs Onion TorBrowser MiddleGuard WebsiteExit RendezvousTorBrowser MiddleGuard Onion CDN Normal Web Over Tor CDN Single-Hop Onion Site Chosen by Client Chosen by Server Website X: exit node to webserver Y: onion to rendezvous Z: link to webserver → congestion shim / revproxyfast Generally: (Y+Z) < X (less is better)
  • 62. Learning New Stuff • Tor is not TCP/IP (but feels similar) • Tor is not an in-kernel network • userspace daemons • config files, not ifconfig • Tor is evolving • Just like TCP/IP was in 1992
  • 75. Wikipedia Experiment • Why? • Short-term test to prove the concept • Cheap, low resource-usage, borrowed hardware • Was DoS'd by <some asshole with bots> • Sustained few-hundreds of hits per second • Hardly noticeable impact on single quad-core server
  • 78. onion Tor vs: plain Tor
  • 79. for deck PDF,
 twitter search: from:alecmuffett "nluug slides" ...will be posted later today