1 00:00:00,000 --> 00:00:11,310 *32C3 preroll music* 2 00:00:11,310 --> 00:00:15,890 Herald: I welcome you to “TOR Onion Services – more useful than you think!” 3 00:00:15,890 --> 00:00:19,340 This talk is presented by George 4 00:00:19,340 --> 00:00:24,640 – who is a core developer of TOR and he is also a developer of the Hidden Services – 5 00:00:24,640 --> 00:00:30,498 by David Goulet – who is a developer for the TOR Hidden Services – 6 00:00:30,498 --> 00:00:35,439 and by Roger, who is founder of the TOR Project, an MIT Graduate and 7 00:00:35,439 --> 00:00:38,460 the Foreign Policy Magazine calls him: he is one of the 8 00:00:38,460 --> 00:00:42,739 Top 100 Global Thinkers. I think that speaks for himself. 9 00:00:42,739 --> 00:00:49,639 *applause* 10 00:00:49,639 --> 00:00:54,179 Today we will hear examples of Hidden Services for really cool use cases, 11 00:00:54,179 --> 00:00:57,879 but also we will hear about security fixes that make the Hidden Services 12 00:00:57,879 --> 00:01:00,779 even more safer and stronger for all of us. 13 00:01:00,779 --> 00:01:05,960 Stage free for “TOR Onion Services – more useful than all of us think” 14 00:01:05,960 --> 00:01:11,440 *applause* Roger: Great! 15 00:01:11,440 --> 00:01:14,669 Hi, I’m going to pause while we get our slides up, I hope… 16 00:01:14,669 --> 00:01:18,249 Hopefully that will be a quick and easy event – perfect! 17 00:01:18,249 --> 00:01:21,839 Okay, so. Hi, I’m Roger, this is George, this is David. 18 00:01:21,839 --> 00:01:26,550 We’re going to tell you about TOR Hidden Services or TOR Onion Services. 19 00:01:26,550 --> 00:01:30,600 They’re basically synonyms, originally they were called TOR Hidden Services 20 00:01:30,600 --> 00:01:35,869 because the original idea was that you hide the location of the service; 21 00:01:35,869 --> 00:01:39,600 and then a lot of people started using them for other features, 22 00:01:39,600 --> 00:01:43,510 other security properties, so we’ve been shifting to the name Onion Services. 23 00:01:43,510 --> 00:01:46,409 So we’ll switch back and forth in what we call them. 24 00:01:46,409 --> 00:01:51,220 So, a spoiler before we start. This is not a talk about the dark web, 25 00:01:51,220 --> 00:01:54,500 there is no dark web. It’s just a couple of 26 00:01:54,500 --> 00:01:59,159 websites out there that are protected by other security properties. 27 00:01:59,159 --> 00:02:03,049 So we’ll talk a lot more about that. You can think of it as: 28 00:02:03,049 --> 00:02:08,799 HTTPS is a way of getting encryption and security when you’re going to a website 29 00:02:08,799 --> 00:02:12,929 and .onion is another way of getting encryption and security when you’re 30 00:02:12,929 --> 00:02:17,749 going to a website. So, journalists like writing articles about the 31 00:02:17,749 --> 00:02:22,920 huge iceberg with 95% of the web is in the dark web. 32 00:02:22,920 --> 00:02:26,290 That’s nonsense! So we’re gonna try and tell you a little bit more about 33 00:02:26,290 --> 00:02:30,660 what actually is Hidden Services and Onion Services and 34 00:02:30,660 --> 00:02:35,030 who uses them and what things they can do with them. 35 00:02:35,030 --> 00:02:37,919 How many people here know quite a bit about how TOR works 36 00:02:37,919 --> 00:02:40,939 and what TOR is and so on? I’m hoping everybody raises their hand! 37 00:02:40,939 --> 00:02:43,770 Awesome, okay. We can skip all of that, perfect! 38 00:02:43,770 --> 00:02:46,910 So TOR is a US non-profit, 39 00:02:46,910 --> 00:02:51,750 it’s open-source, it’s a network of about 8000 relays. 40 00:02:51,750 --> 00:02:55,639 One of the fun things about TOR is the community of researchers, and developers, 41 00:02:55,639 --> 00:02:59,619 and users, and activists, and advocates, all around the world. 42 00:02:59,619 --> 00:03:03,939 Every time I go to a new city, there’s a research group at the university 43 00:03:03,939 --> 00:03:07,319 who wants me to teach them what the open research questions are 44 00:03:07,319 --> 00:03:11,239 and how they can improve, how they can help you improve TOR. 45 00:03:11,239 --> 00:03:13,820 So, the basic idea is, you have your software, 46 00:03:13,820 --> 00:03:16,310 it pulls down a list of the 8000 relays, 47 00:03:16,310 --> 00:03:18,380 and it builds a path through 3 of them 48 00:03:18,380 --> 00:03:20,840 so that no single relay gets to learn 49 00:03:20,840 --> 00:03:24,349 where you’re coming from and where you’re going. 50 00:03:24,349 --> 00:03:28,439 And you can see up at the top here, there is a .onion address. 51 00:03:28,439 --> 00:03:32,489 So basically Hidden Services, or Onion Services, are 52 00:03:32,489 --> 00:03:36,590 in your browser, in your TOR browser, you go to an alternate type of 53 00:03:36,590 --> 00:03:40,489 domain name, that ends in .onion, and then you end up at that website. 54 00:03:40,489 --> 00:03:44,380 So here’s an example of a riseup.net website, 55 00:03:44,380 --> 00:03:47,760 which we are reaching using the onion address for it 56 00:03:47,760 --> 00:03:53,139 rather than black.riseup.net. 57 00:03:53,139 --> 00:03:57,279 Okay, so, I talked about the building block before, how you use TOR normally 58 00:03:57,279 --> 00:04:01,370 to build a 3-hop circuit through the network. Once you have that building block, 59 00:04:01,370 --> 00:04:03,849 then you can glue two of them together. 60 00:04:03,849 --> 00:04:08,140 So you’ve got Alice over here, connecting into the TOR network, 61 00:04:08,140 --> 00:04:11,329 and you’ve got Bob, the website, connecting into the TOR network, 62 00:04:11,329 --> 00:04:12,950 and they rendez-vous in the middle. 63 00:04:12,950 --> 00:04:16,510 So Alice is getting her anonymity, her 3 hops inside TOR, 64 00:04:16,510 --> 00:04:19,700 Bob is getting his anonymity, his 3 hops inside of TOR, 65 00:04:19,700 --> 00:04:21,090 and they meet in the middle. 66 00:04:21,090 --> 00:04:25,520 So Alice doesn’t know where Bob is, Bob doesn’t know where Alice is, 67 00:04:25,520 --> 00:04:27,970 and the point in the middle doesn’t know either of them, 68 00:04:27,970 --> 00:04:32,030 yet they can reach each other, and get some cool security properties. 69 00:04:32,030 --> 00:04:34,530 So, some of these cool security properties: 70 00:04:34,530 --> 00:04:37,610 One of the really cool ones is that that .onion name that you saw 71 00:04:37,610 --> 00:04:41,830 with the base32 72 00:04:41,830 --> 00:04:44,330 big pile of 16 characters, 73 00:04:44,330 --> 00:04:48,310 that is the hash of the public key which is the Onion Service, 74 00:04:48,310 --> 00:04:51,770 which is the Onion address. So they’re self-authenticating, meaning 75 00:04:51,770 --> 00:04:54,330 if I have the right onion address, 76 00:04:54,330 --> 00:04:57,410 I can be sure that I’m connecting to the website, 77 00:04:57,410 --> 00:05:00,290 to the service, that’s associated with that key. 78 00:05:00,290 --> 00:05:03,030 So I don’t need some sort of Certificate Authority model 79 00:05:03,030 --> 00:05:06,340 where I trust Turkish Telecom to not lie to me. 80 00:05:06,340 --> 00:05:09,630 It’s all built-in, self-authenticating, 81 00:05:09,630 --> 00:05:11,900 I don’t need any external resources 82 00:05:11,900 --> 00:05:15,790 to convince myself that I’m going to the right place. 83 00:05:15,790 --> 00:05:19,210 Along with that, is, they’re end-to-end encrypted. 84 00:05:19,210 --> 00:05:22,970 So I know that nobody between my TOR client 85 00:05:22,970 --> 00:05:26,080 and the TOR client on the Service side is able to read, 86 00:05:26,080 --> 00:05:28,950 or intercept, or man-in-the-middle the traffic. 87 00:05:28,950 --> 00:05:31,700 So there are some other interesting features also, 88 00:05:31,700 --> 00:05:34,510 one of them is the NAT punching feature. 89 00:05:34,510 --> 00:05:37,130 If you offer an Onion Service, 90 00:05:37,130 --> 00:05:40,270 there’s no reason to allow incoming connections to it. 91 00:05:40,270 --> 00:05:44,450 So I can run an Onion Service deep inside the corporate firewall, 92 00:05:44,450 --> 00:05:48,500 or behind Comcast’s firewall, or wherever I want to, 93 00:05:48,500 --> 00:05:50,480 and people are able to reach it. 94 00:05:50,480 --> 00:05:54,520 So there are a lot of people from the systems administration side 95 00:05:54,520 --> 00:06:00,760 who say: “I’m going to offer an Onion address for my home SSH server, 96 00:06:00,760 --> 00:06:04,090 and now the only way that I can connect back into my home box 97 00:06:04,090 --> 00:06:07,950 is via the TOR network. I get end-to-end encryption, 98 00:06:07,950 --> 00:06:11,570 I get self-authentication, and there’s no other way in. 99 00:06:11,570 --> 00:06:14,520 I just firewall all incoming connections 100 00:06:14,520 --> 00:06:18,470 and so the only surface area that I expose to the world 101 00:06:18,470 --> 00:06:22,280 is, if you’re using my onion address, you reach my SSH port. 102 00:06:22,280 --> 00:06:24,910 I don’t allow any other packets in of any sort.” 103 00:06:24,910 --> 00:06:28,900 So that’s a cool example of how security people 104 00:06:28,900 --> 00:06:31,630 use Onion Services. 105 00:06:31,630 --> 00:06:35,720 George: So, hello, we have some statistics for you to show you, 106 00:06:35,720 --> 00:06:39,490 to give you an idea of the current maturity of the system. 107 00:06:39,490 --> 00:06:43,790 We got these statistics by asking relays to send us information 108 00:06:43,790 --> 00:06:47,270 about the Hidden Service activity they see. 109 00:06:47,270 --> 00:06:50,190 Only a small fraction of relays is reporting these statistics, 110 00:06:50,190 --> 00:06:53,890 so we extrapolate from this small fraction. 111 00:06:53,890 --> 00:06:57,530 So that’s why these statistics can have lots of ups and downs, 112 00:06:57,530 --> 00:07:00,970 and noise, and everything, but anyway, they can give you a basic idea. 113 00:07:00,970 --> 00:07:04,960 So, this first statistic is the number of Hidden Services on the network, 114 00:07:04,960 --> 00:07:10,180 and you can see that it’s about 30.000 Hidden Services, give or take, 115 00:07:10,180 --> 00:07:15,010 and it’s a pretty small number if you compare it to the whole Internet, 116 00:07:15,010 --> 00:07:19,460 I don’t even know, it’s basically in the early adoption stages. 117 00:07:19,460 --> 00:07:22,430 And we also have another statistic, this one, 118 00:07:22,430 --> 00:07:28,370 which is the traffic that the Hidden Services are generating, basically. 119 00:07:28,370 --> 00:07:32,790 On the top, you can see the total traffic that the whole network is pushing. 120 00:07:32,790 --> 00:07:36,410 It’s about, I don’t know, 60.000 megabits, 121 00:07:36,410 --> 00:07:39,850 and the bottom graph is the Hidden-Service-specific traffic, 122 00:07:39,850 --> 00:07:42,460 and you can see that it’s like 1000 megabits. 123 00:07:42,460 --> 00:07:45,750 Like, a very small fraction, basically. So, 124 00:07:45,750 --> 00:07:50,230 Hidden Services are still a very small part of TOR. And, 125 00:07:50,230 --> 00:07:54,180 if you don’t understand this number thing very well, 126 00:07:54,180 --> 00:07:58,170 we did some calculations and stuff, and we have this new figure for you, 127 00:07:58,170 --> 00:08:02,920 which is that basically 5% of client traffic is Hidden Services. 128 00:08:02,920 --> 00:08:06,710 From the whole TOR, 5% is Hidden Services, basically. 129 00:08:06,710 --> 00:08:10,350 You can handle this as you want. 130 00:08:10,350 --> 00:08:14,330 So, and, we did this whole thing like a year ago, 131 00:08:14,330 --> 00:08:19,370 and we spent lots of time like figuring out how to collect statistics, 132 00:08:19,370 --> 00:08:22,180 how to get from the values themselves to those graphs, 133 00:08:22,180 --> 00:08:26,730 how to obfuscate the statistics in such a way that we don’t reveal 134 00:08:26,730 --> 00:08:29,590 any information about any clients, 135 00:08:29,590 --> 00:08:34,169 and we wrote a tech report about it, that you can find in this link 136 00:08:34,169 --> 00:08:38,329 if you’re interested in looking more [at] how the whole thing works, 137 00:08:38,329 --> 00:08:43,100 and we even wrote a proposal, so if you google for TOR Project, proposal 238, 138 00:08:43,100 --> 00:08:49,500 you can find more information, and, yeah, that’s it. 139 00:08:51,140 --> 00:08:54,930 Roger: Okay, so, how did this whole thing start? 140 00:08:54,930 --> 00:08:57,770 We’re going to go through a couple of years at the beginning. 141 00:08:57,770 --> 00:09:01,320 In 2004, I wrote the original Hidden Service code, 142 00:09:01,320 --> 00:09:03,510 and I basically wrote it as a toy. 143 00:09:03,510 --> 00:09:06,850 It was an example: “We have this thing called TOR, 144 00:09:06,850 --> 00:09:09,700 and use it as a building block, look what we can do! 145 00:09:09,700 --> 00:09:12,290 We can connect 2 TOR circuits together, 146 00:09:12,290 --> 00:09:16,130 and then you can run a service like this.” 147 00:09:16,130 --> 00:09:18,859 Basically nobody used it for a few years. 148 00:09:18,859 --> 00:09:21,420 One of my friends set up a hidden wiki where, 149 00:09:21,420 --> 00:09:24,499 if you run an Onion Service, then you can go to the wiki, 150 00:09:24,499 --> 00:09:26,970 and sign up your address so that people can find it. 151 00:09:26,970 --> 00:09:30,929 And there were some example services. But for the first couple of years, 152 00:09:30,929 --> 00:09:34,880 it basically wasn’t used, wasn’t interesting. 153 00:09:34,880 --> 00:09:39,630 The first really interesting use case was the Zyprexa documents. 154 00:09:39,630 --> 00:09:42,250 So this was in 2005, 2006. 155 00:09:42,250 --> 00:09:45,970 There’s a huge pharmaceutical company called Eli Lilly 156 00:09:45,970 --> 00:09:50,399 and they have an antipsychotic drug called Zyprexa 157 00:09:50,399 --> 00:09:54,360 and it turns out that it was giving people diabetes 158 00:09:54,360 --> 00:09:57,860 and harming them, and killing them, and they knew about it. 159 00:09:57,860 --> 00:10:01,640 And somebody leaked 11.000 documents onto the Internet 160 00:10:01,640 --> 00:10:04,759 showing that this drug company knew about the fact 161 00:10:04,759 --> 00:10:07,200 that they were harming their customers. 162 00:10:07,200 --> 00:10:11,279 And of course the drug company sent a cease and desist to the website, 163 00:10:11,279 --> 00:10:13,860 and it went away, and it came up somewhere else, 164 00:10:13,860 --> 00:10:16,359 and they sent a cease and desist, and it was bouncing around, 165 00:10:16,359 --> 00:10:20,680 and suddenly somebody set up a TOR Hidden Service with all of the documents, 166 00:10:20,680 --> 00:10:25,129 and Eli Lilly had no idea how to send a cease and desist to that address, 167 00:10:25,129 --> 00:10:27,830 and a lot of people were able to read 168 00:10:27,830 --> 00:10:31,159 the corruption and problems with this drug company. 169 00:10:31,159 --> 00:10:34,970 So that was… on the one hand, yay! 170 00:10:34,970 --> 00:10:39,109 *applause* 171 00:10:39,109 --> 00:10:43,140 On the one hand, that’s really cool. Here we are, we have a censorship-resistant 172 00:10:43,140 --> 00:10:46,859 privacy thing, somebody used it to get information out 173 00:10:46,859 --> 00:10:51,279 about a huge company that was hurting people, great! 174 00:10:51,279 --> 00:10:55,499 On the other hand, it set us up where ever after, 175 00:10:55,499 --> 00:10:57,800 people looked at Hidden Services and said: 176 00:10:57,800 --> 00:11:01,429 “Well, how do I find a document that some large organization’s 177 00:11:01,429 --> 00:11:06,140 going to be angry about? I’m going to set up a website for leaking things, 178 00:11:06,140 --> 00:11:10,190 I’m gonna set up a website for something else that the Man wants to shut down.” 179 00:11:10,190 --> 00:11:13,740 So the first example of Hidden Services pointed us 180 00:11:13,740 --> 00:11:17,560 in a direction where, after that, a lot of people 181 00:11:17,560 --> 00:11:22,410 thought that that’s what Hidden Services were about. 182 00:11:22,410 --> 00:11:24,549 So, that leads to the next year, 183 00:11:24,549 --> 00:11:28,359 Wikileaks set up a Hidden Service for their submission engine, 184 00:11:28,359 --> 00:11:32,239 and it’s not that they wanted to hide the location of the server. 185 00:11:32,239 --> 00:11:35,680 The server was in Sweden, everybody knew the server was in Sweden. 186 00:11:35,680 --> 00:11:40,090 But they wanted to give extra security to users who were trying to get there. 187 00:11:40,090 --> 00:11:44,770 One of the really interesting properties that they used from Hidden Services 188 00:11:44,770 --> 00:11:48,079 is the fact that if you go to the .onion site 189 00:11:48,079 --> 00:11:51,569 from your normal browser, it totally doesn’t work. 190 00:11:51,569 --> 00:11:54,019 And this was a security feature for them. 191 00:11:54,019 --> 00:11:57,839 Because they wanted to make sure that if you’re a leaker, 192 00:11:57,839 --> 00:12:00,769 and you’re doing it wrong, you’re configuring things wrong, 193 00:12:00,769 --> 00:12:02,350 then it totally fails from the beginning. 194 00:12:02,350 --> 00:12:06,429 They wanted to completely remove the chance that you accidentally think 195 00:12:06,429 --> 00:12:09,750 that you’re using TOR correctly and being safe 196 00:12:09,750 --> 00:12:12,539 when actually you screwed up and you’re not using TOR. 197 00:12:12,539 --> 00:12:15,329 So they wanted to use Onion Services 198 00:12:15,329 --> 00:12:18,049 as another layer of security for the user, 199 00:12:18,049 --> 00:12:21,279 to protect the user from screwing up. 200 00:12:21,279 --> 00:12:24,999 Now fast forward a couple of more years, there’s another organization in Italy 201 00:12:24,999 --> 00:12:28,940 called GlobaLeaks, where they’ve set up basically a mechanism where, 202 00:12:28,940 --> 00:12:31,589 if you have something you want to share with the world, 203 00:12:31,589 --> 00:12:35,830 then you can be connected to a journalist through this GlobaLeaks platform. 204 00:12:35,830 --> 00:12:40,199 And they actually have been going around to governments, 205 00:12:40,199 --> 00:12:43,109 convincing them to set up GlobaLeaks platforms. 206 00:12:43,109 --> 00:12:45,290 So they’ve gone to the Italian government, 207 00:12:45,290 --> 00:12:48,179 they’ve gone to the Philippine government, 208 00:12:48,179 --> 00:12:51,669 and basically they say: “Look, this is a way for you 209 00:12:51,669 --> 00:12:54,689 to report on corruption, to hear about corruption 210 00:12:54,689 --> 00:12:57,990 inside your country.” Now, if you go to a government, and you say: 211 00:12:57,990 --> 00:13:01,409 “I hear there is corruption, here’s a way to report on it.” 212 00:13:01,409 --> 00:13:04,250 not everybody in the government will be happy with that. 213 00:13:04,250 --> 00:13:08,330 But one of the features is, you can very easily say: 214 00:13:08,330 --> 00:13:12,110 “Can you help me set up an anti-corruption whistleblowing site 215 00:13:12,110 --> 00:13:16,740 for the country next door? I would be happy to… you know they’ve got corruption, 216 00:13:16,740 --> 00:13:19,839 so how about they provide the corruption site?” 217 00:13:19,839 --> 00:13:23,679 *applause* 218 00:13:23,679 --> 00:13:27,000 So it’s really cool that GlobaLeaks is playing the political game, 219 00:13:27,000 --> 00:13:33,229 trying to demonstrate that making these things public is worthwhile. 220 00:13:33,229 --> 00:13:37,139 And, of course, here’s a picture of a cute cat, we have to have one of those, 221 00:13:37,139 --> 00:13:41,829 and WildLeaks is a really good example of a positive, 222 00:13:41,829 --> 00:13:46,439 I mean, this is a way where if you see somebody killing a rhinoceros 223 00:13:46,439 --> 00:13:49,400 or elephant or something in Africa, and you know about it, 224 00:13:49,400 --> 00:13:51,820 upload it to WildLeaks, and then they can learn more 225 00:13:51,820 --> 00:13:55,780 about poaching and extinction events and so on. 226 00:13:55,780 --> 00:13:59,749 So, it’s hard to argue with anti-poaching, 227 00:13:59,749 --> 00:14:02,789 anti-corruption sites like that. 228 00:14:02,789 --> 00:14:06,970 And that moves us to SecureDrop, there’s a group in the US 229 00:14:06,970 --> 00:14:10,819 that is working on another example of how to connect 230 00:14:10,819 --> 00:14:14,739 people with interesting information to journalists who want to write about it. 231 00:14:14,739 --> 00:14:17,720 And they’ve actually connected with the New Yorker and a lot of 232 00:14:17,720 --> 00:14:21,309 high-profile newspapers, 233 00:14:21,309 --> 00:14:26,279 to be able to provide a way for people to securely provide information 234 00:14:26,279 --> 00:14:31,889 to those journalists. And they say that it has been used in high-profile events, 235 00:14:31,889 --> 00:14:34,420 and they won’t tell us which events, which is great! 236 00:14:34,420 --> 00:14:38,069 That’s exactly how it’s supposed to work. 237 00:14:38,069 --> 00:14:42,969 *applause* 238 00:14:42,969 --> 00:14:45,980 David: Hello. So, continuing our timeline here, 239 00:14:45,980 --> 00:14:49,709 this very cool thing happened in 2014, where Aphex Twin, 240 00:14:49,709 --> 00:14:53,030 this electronic experimental guy, 241 00:14:53,030 --> 00:14:56,710 released his album Syro through an onion address on Twitter, 242 00:14:56,710 --> 00:14:59,919 and he got 4.000 Retweets. So we encourage you guys 243 00:14:59,919 --> 00:15:04,160 to consider this method of releasing all your stuff, 244 00:15:04,160 --> 00:15:09,279 and the complementary ways to release it would be the open web. 245 00:15:09,279 --> 00:15:11,910 So, onion addresses. 246 00:15:11,910 --> 00:15:16,099 Following that, we got Blockchain, recently, 247 00:15:16,099 --> 00:15:19,560 in 2014, let’s say two years ago. 248 00:15:19,560 --> 00:15:22,259 They discovered that for security concerns, 249 00:15:22,259 --> 00:15:25,739 when you’re using TOR, the exit nodes, 250 00:15:25,739 --> 00:15:27,689 some exit nodes, and malicious exit nodes, 251 00:15:27,689 --> 00:15:30,719 were rewriting the Bitcoin addresses. 252 00:15:30,719 --> 00:15:32,879 So for security concerns, they changed… 253 00:15:32,879 --> 00:15:37,259 if you go… you come to blockchain.info from TOR, 254 00:15:37,259 --> 00:15:39,079 they tell you to use the onion address 255 00:15:39,079 --> 00:15:42,249 so you get all the fancy properties of end-to-end encryption, 256 00:15:42,249 --> 00:15:44,559 and so on, and so forth. 257 00:15:44,559 --> 00:15:50,259 As of still today, we know that malicious exit nodes exist, 258 00:15:50,259 --> 00:15:53,569 and they do rewrite Bitcoin addresses. 259 00:15:53,569 --> 00:15:55,949 Don’t be alarmed, it’s not like HAL3000’s, 260 00:15:55,949 --> 00:16:00,469 the thing is that, we at the TOR Project are actively monitoring 261 00:16:00,469 --> 00:16:05,009 the network at the exit nodes 262 00:16:05,009 --> 00:16:07,009 for these kinds of craziness. 263 00:16:07,009 --> 00:16:10,589 And we need more help from everyone, from the community, 264 00:16:10,589 --> 00:16:13,009 to find those, so we can block them, 265 00:16:13,009 --> 00:16:15,750 remove them, so fuck those. Fuck those guys. 266 00:16:15,750 --> 00:16:20,879 And Blockchain took action with Onion Services. So, great. 267 00:16:20,879 --> 00:16:23,869 Roger: And Facebook set up a Hidden Service recently as well, 268 00:16:23,869 --> 00:16:26,219 an onion address for their website. 269 00:16:26,219 --> 00:16:28,970 So, the first thing many of you might be thinking is: 270 00:16:28,970 --> 00:16:33,119 “Wait a minute, I don’t understand, Facebook is a website on the Internet, 271 00:16:33,119 --> 00:16:36,389 why do they need a Hidden Service, why do they need an onion address?” 272 00:16:36,389 --> 00:16:41,629 So, the first answer is, they worry about users in interesting countries. 273 00:16:41,629 --> 00:16:45,989 Say you’ve got a Facebook user in Turkey or Tunisia or something like that, 274 00:16:45,989 --> 00:16:47,579 and they try to go to Facebook, 275 00:16:47,579 --> 00:16:51,099 and the local DNS server lies to them and sends them somewhere else, 276 00:16:51,099 --> 00:16:55,389 or Turkish Telecom, which is a certificate authority that everybody trusts, 277 00:16:55,389 --> 00:16:57,530 ends up pretending to be Facebook. 278 00:16:57,530 --> 00:17:00,379 You man-in-the-middle them, now there’s certificate pinning 279 00:17:00,379 --> 00:17:03,690 and other challenges like that, and maybe those are good starts. 280 00:17:03,690 --> 00:17:07,720 But wouldn’t it be cool just to skip the whole certificate authority infrastructure 281 00:17:07,720 --> 00:17:12,049 and say “Here’s an address”, where if you go to this in your TOR Browser, 282 00:17:12,049 --> 00:17:14,669 you don’t have to worry about PGP hijacking, 283 00:17:14,669 --> 00:17:16,949 you don’t have to worry about certificate authorities, 284 00:17:16,949 --> 00:17:20,400 you don’t have to worry about DNS, it’s all inside the TOR network, 285 00:17:20,400 --> 00:17:23,379 and it takes care of the security properties I talked about before. 286 00:17:23,379 --> 00:17:26,420 So, that’s a really cool way that they can switch. 287 00:17:26,420 --> 00:17:29,070 I was talking to one of the Facebook people earlier. 288 00:17:29,070 --> 00:17:33,810 He doesn’t want me to tell the number of users who are using Facebook over TOR, 289 00:17:33,810 --> 00:17:37,760 but it’s many hundreds of thousands. It’s a shockingly high number of users. 290 00:17:37,760 --> 00:17:41,710 So, wouldn’t it be cool if we can switch many of those users 291 00:17:41,710 --> 00:17:44,830 from connecting to Facebook.com over TOR, 292 00:17:44,830 --> 00:17:47,060 to connecting to Facebook’s onion address, 293 00:17:47,060 --> 00:17:50,550 and then reduce the load on the exit relays, 294 00:17:50,550 --> 00:17:53,750 so that it’s faster and easier and scales better 295 00:17:53,750 --> 00:17:59,220 for the people connecting to websites that aren’t onion addresses? 296 00:17:59,220 --> 00:18:02,380 So, I was thinking about this at the very beginning 297 00:18:02,380 --> 00:18:04,890 and I was thinking: “Wait a minute, I don’t get it, 298 00:18:04,890 --> 00:18:08,290 Facebook has an onion address, but they have a real address, 299 00:18:08,290 --> 00:18:11,980 why do we need the other one?” And then I was thinking back. 300 00:18:11,980 --> 00:18:15,290 So, you remember 10 years ago, when people were running websites 301 00:18:15,290 --> 00:18:18,320 and the administrator on the website said: 302 00:18:18,320 --> 00:18:22,710 “I don’t need to offer HTTPS for my website, because my users…” 303 00:18:22,710 --> 00:18:26,190 and then they had some bullshit excuse about how their users didn’t need security 304 00:18:26,190 --> 00:18:29,250 or didn’t need encryption, or something like that. 305 00:18:29,250 --> 00:18:31,530 And now, 10 years later, we all think 306 00:18:31,530 --> 00:18:34,620 that the people saying: “I don’t need HTTPS for my website”… 307 00:18:34,620 --> 00:18:38,080 we think they’re greedy and short-sighted, and selfish, 308 00:18:38,080 --> 00:18:40,450 and they’re not thinking about their users. 309 00:18:40,450 --> 00:18:43,940 I think the Onion Service thing is exactly the same thing. 310 00:18:43,940 --> 00:18:46,290 Right now, there are plenty of people saying: 311 00:18:46,290 --> 00:18:51,010 “I already have HTTPS, I don’t need an onion address for my website 312 00:18:51,010 --> 00:18:54,810 because my users…” and then they have some lame explanation. 313 00:18:54,810 --> 00:18:59,090 So hopefully in a couple of years, it will be self-evident to everybody 314 00:18:59,090 --> 00:19:02,380 that users should be the ones to choose 315 00:19:02,380 --> 00:19:04,600 what sort of security properties they want. 316 00:19:04,600 --> 00:19:08,880 It shouldn’t be about what the website thinks the user should have. 317 00:19:08,880 --> 00:19:11,410 I should have the choice when I’m going to Facebook. 318 00:19:11,410 --> 00:19:15,550 Do I go to the HTTP version, do I go to the HTTPS version, 319 00:19:15,550 --> 00:19:17,570 do I go the onion version? 320 00:19:17,570 --> 00:19:20,720 It should be up to me to decide what my situation is 321 00:19:20,720 --> 00:19:23,010 and get the security properties that I want. 322 00:19:23,010 --> 00:19:26,980 The other challenge here, I’ve talked to some researchers a while ago 323 00:19:26,980 --> 00:19:30,950 who said: “I found a copy of Facebook on the dark web” 324 00:19:30,950 --> 00:19:33,950 and I was thinking: “Wait a minute, 325 00:19:33,950 --> 00:19:36,820 you didn’t find a copy of Facebook on the dark web, 326 00:19:36,820 --> 00:19:41,040 there’s a mechanism for securely getting to the website called Facebook, 327 00:19:41,040 --> 00:19:43,100 and it’s called Onion Services. 328 00:19:43,100 --> 00:19:46,830 There’s no separate dark web, it’s about transport encryption, 329 00:19:46,830 --> 00:19:52,150 it’s about a way of reaching the destination more safely.” 330 00:19:52,150 --> 00:19:54,040 One of the other really cool things, 331 00:19:54,040 --> 00:19:56,970 Facebook didn’t just set up an onion address, 332 00:19:56,970 --> 00:20:00,940 they got an HTTPS certificate for their onion address. 333 00:20:00,940 --> 00:20:03,390 They got an EV cert, the kind that shows you 334 00:20:03,390 --> 00:20:06,450 the green little bar that says: “This is Facebook” 335 00:20:06,450 --> 00:20:08,830 for their onion address. They went to Digicert, 336 00:20:08,830 --> 00:20:12,960 and Digicert gave them an SSL certificate 337 00:20:12,960 --> 00:20:17,610 for their onion address, so now you can get both of them at once. Which is 338 00:20:17,610 --> 00:20:22,750 an amazing new step that we hadn’t even been thinking about at the time. 339 00:20:22,750 --> 00:20:25,420 So, what does this give them? Why is this valuable? 340 00:20:25,420 --> 00:20:28,210 One of them is, on the browser side, 341 00:20:28,210 --> 00:20:31,970 when you’re going to an HTTPS URL, 342 00:20:31,970 --> 00:20:34,910 the browser knows to treat those cookies better, 343 00:20:34,910 --> 00:20:36,520 and to not leak certain things, 344 00:20:36,520 --> 00:20:39,630 and there’s all sorts of security and privacy improvements 345 00:20:39,630 --> 00:20:42,390 that browsers do when you’re going there. 346 00:20:42,390 --> 00:20:44,520 And we don’t want to teach the browser 347 00:20:44,520 --> 00:20:48,550 that if it’s HTTPS or .onion then be safe. 348 00:20:48,550 --> 00:20:50,500 The other nice thing, on the server side, 349 00:20:50,500 --> 00:20:52,950 Facebook didn’t have to change anything. 350 00:20:52,950 --> 00:20:55,420 This is another way of reaching the Facebook server. 351 00:20:55,420 --> 00:20:59,470 That’s all there is to it. 352 00:20:59,470 --> 00:21:02,870 And then, another cool thing: 353 00:21:02,870 --> 00:21:08,300 It turns out that the only way to get a wildcard EV certificate 354 00:21:08,300 --> 00:21:10,340 is for an onion domain. 355 00:21:10,340 --> 00:21:14,090 It’s actually written into, like, the certificate authority world, 356 00:21:14,090 --> 00:21:18,050 that there is a grand exception for onion addresses. 357 00:21:18,050 --> 00:21:22,560 You can’t get a wildcard EV cert unless it’s for an onion address. 358 00:21:22,560 --> 00:21:26,200 So this is super duper endorsement of Onion Services 359 00:21:26,200 --> 00:21:29,960 from the certificate authority people. 360 00:21:29,960 --> 00:21:35,100 *applause* 361 00:21:35,100 --> 00:21:37,960 But let’s take a step even further. 362 00:21:37,960 --> 00:21:41,500 Wouldn’t it be cool if we take the Let’s Encrypt project 363 00:21:41,500 --> 00:21:44,880 and they bundle a TOR client in 364 00:21:44,880 --> 00:21:48,110 with each web server that’s offering the Let’s Encrypt system? 365 00:21:48,110 --> 00:21:51,950 So every time you sign up for Let’s Encrypt, you also click the button 366 00:21:51,950 --> 00:21:55,180 saying: “And I want an onion address for my website”, 367 00:21:55,180 --> 00:21:57,330 and they automatically, in the same certificate… 368 00:21:57,330 --> 00:22:02,210 you get one for riseup.net, and as an alternate name, 369 00:22:02,210 --> 00:22:05,180 it’s blahblahblah.onion. It’s in the same certificate. 370 00:22:05,180 --> 00:22:07,710 So users can go to your website directly 371 00:22:07,710 --> 00:22:09,910 or they can go there over the onion address 372 00:22:09,910 --> 00:22:12,560 and either way you provide the SSL certificate 373 00:22:12,560 --> 00:22:14,070 that keeps everybody safe. 374 00:22:14,070 --> 00:22:18,030 Wouldn’t it be cool if every time somebody signs up for Let’s Encrypt, 375 00:22:18,030 --> 00:22:21,580 they get an onion address for free for their website, 376 00:22:21,580 --> 00:22:25,840 so that everybody can choose how they want to reach that website? 377 00:22:25,840 --> 00:22:33,310 *applause, cheering* 378 00:22:33,310 --> 00:22:36,890 Now, there are a few problems with that. One of the big ones is, 379 00:22:36,890 --> 00:22:41,130 we want some way of binding the riseup.net address 380 00:22:41,130 --> 00:22:44,960 to the onion address, so that when I go to riseup.net 381 00:22:44,960 --> 00:22:47,470 I know that I’m going to the correct onion address. 382 00:22:47,470 --> 00:22:50,300 So we need some way to vouch for them 383 00:22:50,300 --> 00:22:52,760 and connect them through signatures or something. 384 00:22:52,760 --> 00:22:55,520 It can be done, but somebody needs to work out the details. 385 00:22:55,520 --> 00:22:57,400 The other policy barrier is, 386 00:22:57,400 --> 00:23:00,660 right now, the certificate authority people 387 00:23:00,660 --> 00:23:04,070 say you cannot get an onion address for a DV cert, 388 00:23:04,070 --> 00:23:07,600 the normal kind of cert. You can only get it for an EV cert. 389 00:23:07,600 --> 00:23:10,580 And Alec over here is leading the charge 390 00:23:10,580 --> 00:23:12,570 to convince them that that makes no sense, 391 00:23:12,570 --> 00:23:15,780 so hopefully in the next couple of years, with all of your help, 392 00:23:15,780 --> 00:23:17,780 they will realize that onion addresses are 393 00:23:17,780 --> 00:23:22,410 just like all the other addresses in the world. 394 00:23:22,410 --> 00:23:26,080 Which leads to another really cool feature from this year. 395 00:23:26,080 --> 00:23:31,670 We got IETF to publicly specify, in a real RFC, 396 00:23:31,670 --> 00:23:34,740 that the .onion domain is a special case, 397 00:23:34,740 --> 00:23:38,120 and they’re not going to give it out in any other way. So… 398 00:23:38,120 --> 00:23:40,190 *applause* yeah! 399 00:23:40,190 --> 00:23:45,720 *applause* 400 00:23:45,720 --> 00:23:48,850 So the first effect here is that we have actual approval 401 00:23:48,850 --> 00:23:53,810 of Onion Services from the IETF and other standards committees. 402 00:23:53,810 --> 00:23:57,120 But the second effect, which is a second-order effect, is, 403 00:23:57,120 --> 00:24:00,960 now we can go to the browsers, and the DNS resolvers, 404 00:24:00,960 --> 00:24:04,600 and say, whenever you see an onion resolve, 405 00:24:04,600 --> 00:24:07,290 cut it right there, because you know that it’s not going into TOR, 406 00:24:07,290 --> 00:24:09,800 and you know that it shouldn’t go out onto the network. 407 00:24:09,800 --> 00:24:12,720 So now, when you’re in your normal Internet Explorer, 408 00:24:12,720 --> 00:24:15,250 and you accidentally click on an onion address, 409 00:24:15,250 --> 00:24:18,400 Internet Explorer knows that that’s a local address, 410 00:24:18,400 --> 00:24:20,260 that shouldn’t go out onto the network. 411 00:24:20,260 --> 00:24:23,230 So we can keep people safer, in ordinary browsers 412 00:24:23,230 --> 00:24:28,650 that otherwise wouldn’t even care that we exist. 413 00:24:28,650 --> 00:24:32,680 George: OK, so, so far we’ve been talking about websites and Hidden Services, 414 00:24:32,680 --> 00:24:35,540 but this is not all that Hidden Services can do. 415 00:24:35,540 --> 00:24:38,720 Basically, you can do any sort of TCP 416 00:24:38,720 --> 00:24:41,290 thing you want to do over Hidden Services. 417 00:24:41,290 --> 00:24:45,740 We’re going to show you a few examples of third-party applications 418 00:24:45,740 --> 00:24:47,790 that have been developed for Hidden Services 419 00:24:47,790 --> 00:24:50,470 and do various interesting things. 420 00:24:50,470 --> 00:24:54,560 First of all, OnionShare is a file transfer application 421 00:24:54,560 --> 00:24:58,740 where you basically download this thing, and then you feed it a file, 422 00:24:58,740 --> 00:25:02,940 and then it exposes a HTTP server that you can, 423 00:25:02,940 --> 00:25:06,660 that basically hosts your file, an onion address that hosts your file, 424 00:25:06,660 --> 00:25:10,300 and you can give that a URL, you can give that URL to your friends, 425 00:25:10,300 --> 00:25:14,350 and they can just put it on their TOR Browser and download the file easily. 426 00:25:14,350 --> 00:25:16,630 It’s quite convenient, nicely made, 427 00:25:16,630 --> 00:25:20,370 and I think various organizations 428 00:25:20,370 --> 00:25:23,820 like the Intercept and stuff, are using it to transfer files internally. 429 00:25:23,820 --> 00:25:28,340 And it works fine so far, as far as we know. 430 00:25:28,340 --> 00:25:33,220 Then the various Hidden Services are quite good for doing messaging 431 00:25:33,220 --> 00:25:36,890 because basically both sides are anonymous 432 00:25:36,890 --> 00:25:40,800 and this gives a nice twist to when you talk to some person 433 00:25:40,800 --> 00:25:44,060 and one way to do so is Ricochet, 434 00:25:44,060 --> 00:25:46,730 which is an application that allows you 435 00:25:46,730 --> 00:25:49,410 to talk one-to-one to other people. 436 00:25:49,410 --> 00:25:54,310 It’s decentralized, because it works over Hidden Services. 437 00:25:54,310 --> 00:25:57,740 That’s actually quite useful, because, for example, 438 00:25:57,740 --> 00:26:02,410 a few months ago, the Jabber CCC server got shut down for a few days 439 00:26:02,410 --> 00:26:04,860 and you couldn’t talk to anyone, basically, 440 00:26:04,860 --> 00:26:07,310 but if you used Ricochet, you were fine, 441 00:26:07,310 --> 00:26:10,130 because they can shut down the CCC server 442 00:26:10,130 --> 00:26:14,490 but they probably can’t shut down the whole TOR network so easily. 443 00:26:14,490 --> 00:26:19,010 It also has a nice slick UI, which is quite refreshing 444 00:26:19,010 --> 00:26:22,700 if you’re used to the usual UIs of the open-source world. 445 00:26:22,700 --> 00:26:25,940 And, anyway, you can… 446 00:26:25,940 --> 00:26:29,490 you can download it from that web server there. 447 00:26:29,490 --> 00:26:31,140 And then there is Pond, 448 00:26:31,140 --> 00:26:35,270 which is a more experimental avant-garde messaging application, 449 00:26:35,270 --> 00:26:40,540 which is basically a mix between messaging and mix nets. 450 00:26:40,540 --> 00:26:44,880 It basically uses a server which delays your messages and stuff, 451 00:26:44,880 --> 00:26:48,440 which makes it much harder for a network adversary 452 00:26:48,440 --> 00:26:51,290 to know when you’re sending or receiving messages, 453 00:26:51,290 --> 00:26:55,090 because you also send chaff, and fake traffic and stuff. 454 00:26:55,090 --> 00:26:56,710 It’s super-experimental, 455 00:26:56,710 --> 00:26:59,240 the author doesn’t even want us to really endorse it, 456 00:26:59,240 --> 00:27:04,740 but information is free and you can visit that website 457 00:27:04,740 --> 00:27:08,930 to learn more about it. 458 00:27:08,930 --> 00:27:11,790 David: So, there’s also, for many years now, 459 00:27:11,790 --> 00:27:15,580 plenty of services and tools that exist. George just showed us some tools, 460 00:27:15,580 --> 00:27:19,340 but now there’s services like Jabber, SMTP, and IMAP, 461 00:27:19,340 --> 00:27:22,640 from the Riseup guys, but not only Riseup, but Systemli, 462 00:27:22,640 --> 00:27:25,360 Autistici, and Calyx Institute for Jabber. 463 00:27:25,360 --> 00:27:28,060 And it’s more and more and more Jabber servers right now 464 00:27:28,060 --> 00:27:30,970 that are federating TOR through the Onions 465 00:27:30,970 --> 00:27:33,420 for server-to-server and also client-to-server. 466 00:27:33,420 --> 00:27:37,140 And this has been around for a long time, and it serves many, many, many users. 467 00:27:37,140 --> 00:27:41,020 I think Riseup has more than 30.000 users on their Jabbers. 468 00:27:41,020 --> 00:27:42,940 Another neat thing about them is, 469 00:27:42,940 --> 00:27:47,770 very recently, that Debian created their package repository 470 00:27:47,770 --> 00:27:51,690 and now you can use an onion address to just update your Debian system. 471 00:27:51,690 --> 00:27:56,390 And you use this amazing package which is apt-tor-transport and, hop!, 472 00:27:56,390 --> 00:28:01,370 you can update everything through an onion address, it will detect it automatically. 473 00:28:01,370 --> 00:28:04,710 But then, there’s also much more that happened recently. 474 00:28:04,710 --> 00:28:08,150 Also the GPG key servers exist as an onion address. 475 00:28:08,150 --> 00:28:11,810 So you can update your GPG key, 476 00:28:11,810 --> 00:28:14,230 and download a signature, and so on, and so forth, 477 00:28:14,230 --> 00:28:17,970 which in a way hides from global observers, 478 00:28:17,970 --> 00:28:21,000 because we know they exist, all your social graph 479 00:28:21,000 --> 00:28:25,530 because, well, you’re in an end-to-end encrypted channel. 480 00:28:25,530 --> 00:28:27,820 Of course it can go to GPG servers, that’s true, 481 00:28:27,820 --> 00:28:31,930 but still at least on the wire, it’s hidden. Very nice. 482 00:28:31,930 --> 00:28:36,210 Now, DuckDuckGo of course, they have Jabbers and they also have Hidden Service. 483 00:28:36,210 --> 00:28:40,410 And I talked to the DuckDuckGo people a few months ago maybe, 484 00:28:40,410 --> 00:28:43,830 I don’t remember. But the point is, they have many, many, many users 485 00:28:43,830 --> 00:28:47,270 coming through their onion addresses. The Pirate Bay also. 486 00:28:47,270 --> 00:28:51,900 So, the point of all this is that, with Facebook and Blockchain, 487 00:28:51,900 --> 00:28:55,290 and all those we’ve seen – and we actually know that 488 00:28:55,290 --> 00:28:59,030 several Alexa 500 top websites 489 00:28:59,030 --> 00:29:02,970 are currently deploying onion addresses. 490 00:29:02,970 --> 00:29:08,330 And the point here is, between the TOR network, the onion space 491 00:29:08,330 --> 00:29:14,210 and the open Internet… If all sites are on both sides, well, 492 00:29:14,210 --> 00:29:17,690 it becomes one side. It’s just different ways of accessing the information. 493 00:29:17,690 --> 00:29:21,270 So please, please, please go to your companies, go to your organization, 494 00:29:21,270 --> 00:29:23,630 deploy onion addresses, and make them public. 495 00:29:23,630 --> 00:29:28,420 Help us have much more. 496 00:29:28,420 --> 00:29:31,250 Roger: Let me, before I get to the next one, re-emphasize 497 00:29:31,250 --> 00:29:33,770 the point that George was making about Ricochet. 498 00:29:33,770 --> 00:29:37,010 So Ricochet is an alternate chat program 499 00:29:37,010 --> 00:29:39,940 where every user is their own onion address. 500 00:29:39,940 --> 00:29:42,280 Every user is their own Onion Service. 501 00:29:42,280 --> 00:29:45,640 And you talk from one Onion Service to the other Onion Service. 502 00:29:45,640 --> 00:29:49,530 You don’t have to know where the person is or necessarily even who the person is. 503 00:29:49,530 --> 00:29:52,390 And there’s no middle, there’s no central point 504 00:29:52,390 --> 00:29:54,560 to go and learn all the accounts, 505 00:29:54,560 --> 00:29:56,660 and who’s friends with who, and so on. 506 00:29:56,660 --> 00:30:00,540 There’s nothing to break into in the middle where you can spy on everybody. 507 00:30:00,540 --> 00:30:04,180 Everything is decentralized, everybody is their own onion address. 508 00:30:04,180 --> 00:30:09,250 So I think that’s a key point as an alternate chat paradigm 509 00:30:09,250 --> 00:30:13,040 where hopefully we can switch away from the centralization model. 510 00:30:13,040 --> 00:30:19,010 *applause* 511 00:30:19,010 --> 00:30:21,330 Okay. So, on to phase 2, a brief diversion. 512 00:30:21,330 --> 00:30:25,120 We’ve been talking to a bunch of researchers over the past few years 513 00:30:25,120 --> 00:30:28,130 about, they want to do research on TOR to study 514 00:30:28,130 --> 00:30:31,880 how many users there are, or how many people go to Facebook, 515 00:30:31,880 --> 00:30:35,370 or all sorts of other research questions, and 516 00:30:35,370 --> 00:30:39,610 sometimes they do it in dangerous ways, or inappropriate ways. 517 00:30:39,610 --> 00:30:43,780 So we’ve been working on guidelines to help people who want to do it safely 518 00:30:43,780 --> 00:30:48,010 actually be able to not harm people or minimize the harm. 519 00:30:48,010 --> 00:30:49,890 So here are some of the guidelines. 520 00:30:49,890 --> 00:30:53,870 First one is, try to attack your own traffic, try to attack yourself, 521 00:30:53,870 --> 00:30:57,610 so, if you have a question and you need to do it on the real TOR network, 522 00:30:57,610 --> 00:31:01,090 you should be the one to generate your traffic and then try to attack that. 523 00:31:01,090 --> 00:31:04,590 You shouldn’t just pick an arbitrary user and attack them 524 00:31:04,590 --> 00:31:07,460 because who knows if that’s a person in Syria who needs help 525 00:31:07,460 --> 00:31:12,100 or a person in Germany who’s trying to get out from oppression, and so on. 526 00:31:12,100 --> 00:31:16,800 Another approach: only collect data that you’re willing to publish to the world. 527 00:31:16,800 --> 00:31:18,910 So, too many researchers say: 528 00:31:18,910 --> 00:31:21,690 “Well I’m going to learn all of this interesting stuff, 529 00:31:21,690 --> 00:31:23,720 and I’m going to write it down on my hard drive, 530 00:31:23,720 --> 00:31:26,740 and I’ll keep it very safe. Nobody will break in.” 531 00:31:26,740 --> 00:31:28,850 That approach fails every time. 532 00:31:28,850 --> 00:31:32,490 Somebody breaks in, you lose the data, you forget about it, 533 00:31:32,490 --> 00:31:34,930 so the ethical way to do this is, 534 00:31:34,930 --> 00:31:37,890 only collect stuff that you’re willing to make public. 535 00:31:37,890 --> 00:31:41,350 Only collect stuff that’s safe to make public. 536 00:31:41,350 --> 00:31:45,470 And then the other piece, that’s part of what we’re talking about there, 537 00:31:45,470 --> 00:31:47,360 don’t collect data that you don’t need, 538 00:31:47,360 --> 00:31:49,980 so figure out what your research question is, 539 00:31:49,980 --> 00:31:53,770 figure out the minimum that you can collect to answer that question. 540 00:31:53,770 --> 00:31:57,460 For example, if I want to know how many people connect to Facebook, 541 00:31:57,460 --> 00:32:01,470 I should not collect every destination that everybody goes to, 542 00:32:01,470 --> 00:32:04,520 and then afterwards count up how many of them were Facebook. 543 00:32:04,520 --> 00:32:07,780 I should have a counter that says: Facebook, increment. 544 00:32:07,780 --> 00:32:09,880 And then at the end it outputs a number, 545 00:32:09,880 --> 00:32:13,130 and that’s the only thing that I need to know in that case. 546 00:32:13,130 --> 00:32:15,120 So limit the granularity of data. 547 00:32:15,120 --> 00:32:19,270 If you’re counting how many users are connecting from different countries, 548 00:32:19,270 --> 00:32:22,650 and there are very few users coming from Mauritania, 549 00:32:22,650 --> 00:32:24,590 consider rounding that down to zero, 550 00:32:24,590 --> 00:32:26,880 so that you don’t accidentally harm 551 00:32:26,880 --> 00:32:29,970 the five people in Mauritania who’re using it today. 552 00:32:29,970 --> 00:32:32,190 So, approach to do this is: 553 00:32:32,190 --> 00:32:34,470 figure out what you’re trying to learn, 554 00:32:34,470 --> 00:32:37,470 describe the benefits to the world of learning that, 555 00:32:37,470 --> 00:32:40,810 describe the risks to people around the world 556 00:32:40,810 --> 00:32:43,920 in TOR of the approach that you’re taking, 557 00:32:43,920 --> 00:32:47,350 and then argue that the benefits are outweighing the risks. 558 00:32:47,350 --> 00:32:50,320 And one of the key ways of looking at this is, 559 00:32:50,320 --> 00:32:54,630 if you’re collecting something interesting, some interesting dataset, 560 00:32:54,630 --> 00:32:57,390 think about whether there could be somebody else, 561 00:32:57,390 --> 00:33:00,930 somewhere out there in the world, who has some other dataset, 562 00:33:00,930 --> 00:33:04,000 and when you combine their dataset with yours, 563 00:33:04,000 --> 00:33:07,260 somebody learns something new, somebody gets harmed. 564 00:33:07,260 --> 00:33:09,550 If you can imagine any other dataset 565 00:33:09,550 --> 00:33:12,320 that, when it’s combined with yours, harms people, 566 00:33:12,320 --> 00:33:15,360 then you need to think harder about that. 567 00:33:15,360 --> 00:33:18,820 And then the last point: use a test network, when possible. 568 00:33:18,820 --> 00:33:21,710 There’s a tool called chutney, there’s a tool called Shadow, 569 00:33:21,710 --> 00:33:25,090 where you can run your own internal TOR network on one computer, 570 00:33:25,090 --> 00:33:29,010 and if you can do your research that way, it’s even better. 571 00:33:29,010 --> 00:33:31,510 So, those are great guidelines, sounds good. 572 00:33:31,510 --> 00:33:33,480 We need to encourage more people to do them, 573 00:33:33,480 --> 00:33:35,760 and, to be fair, this is not going to 574 00:33:35,760 --> 00:33:38,180 stop bad people from doing bad things. 575 00:33:38,180 --> 00:33:40,940 But if you want to do research responsibly, 576 00:33:40,940 --> 00:33:43,650 and ethically, without harming TOR users, 577 00:33:43,650 --> 00:33:46,280 then we need to help everybody learn 578 00:33:46,280 --> 00:33:48,630 what the guidelines are to do it more safely. 579 00:33:48,630 --> 00:33:50,980 So here’s an example of a tricky edge case 580 00:33:50,980 --> 00:33:54,200 where we really want to think harder about these things. 581 00:33:54,200 --> 00:33:57,220 One of them is, there are people out there 582 00:33:57,220 --> 00:34:01,360 who want to build a list of every onion address that they can find. 583 00:34:01,360 --> 00:34:03,900 So, you can learn about that by going to google 584 00:34:03,900 --> 00:34:07,700 and doing a google search on .onion and they give you some addresses. 585 00:34:07,700 --> 00:34:11,819 That’s okay, that seems reasonable. It’s a public dataset, okay, fine. 586 00:34:11,819 --> 00:34:14,859 There’s a more complicated one, where you are Verisign, 587 00:34:14,859 --> 00:34:17,620 and you run some of the DNS root servers, 588 00:34:17,620 --> 00:34:22,639 and you spy on the DNS queries of the whole Internet. 589 00:34:22,639 --> 00:34:27,048 And anybody who accidentally sends a .onion DNS query 590 00:34:27,048 --> 00:34:29,529 to your root server, you write it down. 591 00:34:29,529 --> 00:34:31,979 So now you learn all the side-channel 592 00:34:31,979 --> 00:34:34,789 accidentally leaked addresses. 593 00:34:34,789 --> 00:34:38,410 Is that, does that follow our guidelines? Is that okay, is that ethical? 594 00:34:38,410 --> 00:34:41,429 It’s kind of complicated, but I don’t know a way to stop it, 595 00:34:41,429 --> 00:34:46,029 and they already have the dataset. So, okay, fine. 596 00:34:46,029 --> 00:34:48,279 Now a more complicated one. 597 00:34:48,279 --> 00:34:52,119 What if you’re Comcast, and you spy on all of your users, 598 00:34:52,119 --> 00:34:56,459 to find out what their DNS queries are, to learn about accidental leakage there. 599 00:34:56,459 --> 00:34:59,499 Again, I’m going to say it’s complicated, but it’s probably fine, 600 00:34:59,499 --> 00:35:02,259 they’re already seeing it, there’s nothing we, TOR, can do 601 00:35:02,259 --> 00:35:06,210 to change our protocol, to make people accidentally leak these things. 602 00:35:06,210 --> 00:35:07,939 But then option four: 603 00:35:07,939 --> 00:35:10,809 what if you want to learn a bunch of onion addresses, 604 00:35:10,809 --> 00:35:13,480 so you run new relays in the TOR network, 605 00:35:13,480 --> 00:35:15,599 and you sign them up and they get into a position 606 00:35:15,599 --> 00:35:18,159 where they can learn about onion addresses 607 00:35:18,159 --> 00:35:21,339 that are being published, and then you make a list internally. 608 00:35:21,339 --> 00:35:24,700 So that’s actually not cool, because 609 00:35:24,700 --> 00:35:26,630 it’s part of the TOR protocol 610 00:35:26,630 --> 00:35:29,549 that people providing onion addresses 611 00:35:29,549 --> 00:35:32,199 don’t expect those to become public, 612 00:35:32,199 --> 00:35:34,490 and we’ll talk later about ways that we have 613 00:35:34,490 --> 00:35:36,160 for being able to fix this. 614 00:35:36,160 --> 00:35:39,640 So, if it’s a protocol problem that we know how to fix, 615 00:35:39,640 --> 00:35:43,160 and it’s inside TOR, and you’re misbehaving as a relay, 616 00:35:43,160 --> 00:35:46,239 then that’s not cool. So this is an example where, 617 00:35:46,239 --> 00:35:50,079 it’s sort of hard to reason through where we should draw the line, 618 00:35:50,079 --> 00:35:52,409 and I’d love to chat more with you all after that 619 00:35:52,409 --> 00:35:55,870 about where the line should be. 620 00:35:55,870 --> 00:35:58,809 And that leads to an example 621 00:35:58,809 --> 00:36:01,490 of some research that was done last year, 622 00:36:01,490 --> 00:36:04,820 by, we think, some folks at CMU, 623 00:36:04,820 --> 00:36:06,740 who attacked the TOR network, 624 00:36:06,740 --> 00:36:09,599 and, as far as I can tell, collected a dataset, 625 00:36:09,599 --> 00:36:11,570 and they collected more than they needed 626 00:36:11,570 --> 00:36:13,980 to answer their research questions. 627 00:36:13,980 --> 00:36:16,130 They didn’t do minimization, 628 00:36:16,130 --> 00:36:19,599 they didn’t attack only their own traffic, they didn’t use a test network, 629 00:36:19,599 --> 00:36:23,700 they basically violated every one of the guidelines from two slides ago. 630 00:36:23,700 --> 00:36:25,999 So that’s sort of a sad story, 631 00:36:25,999 --> 00:36:28,120 and that leads to the next question: 632 00:36:28,120 --> 00:36:31,040 Should we have some sort of TOR ethics review board? 633 00:36:31,040 --> 00:36:34,150 Wouldn’t it be cool if, as a researcher, 634 00:36:34,150 --> 00:36:36,589 you write up what you’re trying to learn 635 00:36:36,589 --> 00:36:39,469 and why it’s safe, and how you’re going to do it, 636 00:36:39,469 --> 00:36:43,260 and you show that to other professors who help you decide whether you’re right, 637 00:36:43,260 --> 00:36:47,539 and then we go to the academic review journals and conferences, 638 00:36:47,539 --> 00:36:50,909 and we get them to expect, in your research paper, 639 00:36:50,909 --> 00:36:55,369 a little section on why this is responsible research. 640 00:36:55,369 --> 00:36:58,720 And, at that point, it’s expected that you have thought through that, 641 00:36:58,720 --> 00:37:03,120 and anybody who writes a paper without that section, 642 00:37:03,120 --> 00:37:06,250 everybody knows that they haven’t thought it through as much as they should. 643 00:37:06,250 --> 00:37:09,960 Wouldn’t that be a cool future world where research is done more responsibly 644 00:37:09,960 --> 00:37:13,569 around TOR, and around security more generally? 645 00:37:13,569 --> 00:37:18,810 *applause* 646 00:37:18,810 --> 00:37:21,509 Okay. So, there are a couple of problems 647 00:37:21,509 --> 00:37:25,609 in TOR Onion Service security right now. I’m gonna zip through them briefly 648 00:37:25,609 --> 00:37:28,979 so we can actually get to talk about them in more detail. The first one is, 649 00:37:28,979 --> 00:37:32,449 the onion identity keys are RSA 1024 bits. 650 00:37:32,449 --> 00:37:36,289 So, that is too short. We need to switch to ECC. 651 00:37:36,289 --> 00:37:38,870 Another one is, you, the adversary, 652 00:37:38,870 --> 00:37:41,890 can run relays, and choose your identity key 653 00:37:41,890 --> 00:37:44,329 so that you end up in the right place in the network 654 00:37:44,329 --> 00:37:47,899 in order to target – censor, surveil, whatever – 655 00:37:47,899 --> 00:37:51,270 certain onion addresses. And we’ll talk more about that also. 656 00:37:51,270 --> 00:37:53,650 Another one, I talked about that a few slides ago, 657 00:37:53,650 --> 00:37:57,610 you can run relays in order to learn about new onion addresses, 658 00:37:57,610 --> 00:37:59,650 and we’ve got some fixes for that. 659 00:37:59,650 --> 00:38:02,279 So those are 3 that are onion-address specific, 660 00:38:02,279 --> 00:38:05,550 onion-service specific, that we can solve. 661 00:38:05,550 --> 00:38:08,169 And then there are 3 issues that are much more broad. 662 00:38:08,169 --> 00:38:10,180 One of them is, 663 00:38:10,180 --> 00:38:12,510 bad guys can run hundreds of relays, 664 00:38:12,510 --> 00:38:15,930 and we need to learn how to notice that and protect against it. 665 00:38:15,930 --> 00:38:17,950 Another one is, 666 00:38:17,950 --> 00:38:20,049 you can run relays to learn more about 667 00:38:20,049 --> 00:38:22,320 the path selection that clients are going to do, 668 00:38:22,320 --> 00:38:25,679 and then there’s website fingerprinting. All of those are separate talks. 669 00:38:25,679 --> 00:38:28,240 I wanted to mention them here, I’m happy to talk about them later, 670 00:38:28,240 --> 00:38:31,600 but we don’t have time to get into them in detail. 671 00:38:31,600 --> 00:38:35,150 Okay, phase three, how do TOR Hidden Services, 672 00:38:35,150 --> 00:38:38,369 TOR Onion Services work right now? Just to give you some background, 673 00:38:38,369 --> 00:38:40,810 so that when we talk about the design improvements, 674 00:38:40,810 --> 00:38:42,939 you have a handle on what’s going on. 675 00:38:42,939 --> 00:38:46,939 So, we’ve got Alice over here, she wants to visit some Hidden Service Bob. 676 00:38:46,939 --> 00:38:50,319 The first step is, Bob generates a key, 677 00:38:50,319 --> 00:38:53,119 and he establishes 3 introduction points, 678 00:38:53,119 --> 00:38:55,159 3 circuits into the TOR network. 679 00:38:55,159 --> 00:38:58,880 And then he publishes, to the big database in the sky, 680 00:38:58,880 --> 00:39:00,420 “Hi, this is my key, 681 00:39:00,420 --> 00:39:02,740 and these are my 3 introduction points.” 682 00:39:02,740 --> 00:39:06,489 And at that point, Alice somehow learns his onion address, 683 00:39:06,489 --> 00:39:09,860 and she goes to the database and pulls down the descriptor 684 00:39:09,860 --> 00:39:12,940 that has his key and the 3 introduction points 685 00:39:12,940 --> 00:39:15,809 and in parallel to that, she connects to the – 686 00:39:15,809 --> 00:39:19,120 she picks her own rendezvous point, and she builds a TOR circuit there. 687 00:39:19,120 --> 00:39:23,759 So at this point, Bob has 3 introduction points open in the TOR network, 688 00:39:23,759 --> 00:39:27,510 and Alice has one rendezvous point open in the TOR network. 689 00:39:27,510 --> 00:39:31,249 And at that point, Alice connects to one of the introduction points 690 00:39:31,249 --> 00:39:34,669 and says: “Hey, I want to connect to you, and I’m waiting over here. 691 00:39:34,669 --> 00:39:36,670 This is the address for my rendezvous point. 692 00:39:36,670 --> 00:39:39,659 If you want to talk back to me, I’m waiting right here.” 693 00:39:39,659 --> 00:39:42,969 And then at that point, Bob, if he wants to, 694 00:39:42,969 --> 00:39:45,029 makes a connection to the rendezvous point. 695 00:39:45,029 --> 00:39:47,409 So now Alice has a connection to the rendezvous point, 696 00:39:47,409 --> 00:39:49,559 and Bob has a connection to the rendezvous point, 697 00:39:49,559 --> 00:39:52,400 and at that point they do the crypto handshake 698 00:39:52,400 --> 00:39:54,909 so that they get end-to-end encryption, 699 00:39:54,909 --> 00:39:58,139 and then, as the last step, they’re able to send traffic 700 00:39:58,139 --> 00:40:01,209 over that circuit, where Alice has 3 hops, 701 00:40:01,209 --> 00:40:02,810 and Bob has three hops, 702 00:40:02,810 --> 00:40:05,509 and they’re able to provide security from that point. 703 00:40:05,509 --> 00:40:07,169 So that’s a very brief summary 704 00:40:07,169 --> 00:40:09,379 of how the handshake works, 705 00:40:09,379 --> 00:40:11,889 in Hidden Service land. 706 00:40:11,889 --> 00:40:15,500 So, in the previous slide, I was talking about this database in the sky. 707 00:40:15,500 --> 00:40:19,270 Once upon a time, that was just 3 computers. 708 00:40:19,270 --> 00:40:21,119 I ran 2 of them. 709 00:40:21,119 --> 00:40:24,110 Another directory authority operator ran the third. 710 00:40:24,110 --> 00:40:28,419 And then, we switched to distributing that over the entire TOR network, 711 00:40:28,419 --> 00:40:31,150 so there are 8000 relays… 712 00:40:31,150 --> 00:40:36,919 So imagine the hash of each relay’s identity key on this hash ring. 713 00:40:36,919 --> 00:40:39,810 There are 6 relays at any given point 714 00:40:39,810 --> 00:40:42,619 that are responsible for knowing 715 00:40:42,619 --> 00:40:44,649 where a given Onion Service is. 716 00:40:44,649 --> 00:40:47,679 So, when I’m running my own Onion Service, 717 00:40:47,679 --> 00:40:50,400 I compute which 6 relays they are, 718 00:40:50,400 --> 00:40:52,390 and I publish my descriptor to it, 719 00:40:52,390 --> 00:40:54,509 and when I’m the client and I want to go there, 720 00:40:54,509 --> 00:40:56,819 I compute which 6 relays they are, 721 00:40:56,819 --> 00:41:00,119 and I go to any one of them, and I can fetch the descriptor. 722 00:41:00,119 --> 00:41:03,260 So, the way that we actually generate 723 00:41:03,260 --> 00:41:07,660 the predictable set of which relays they are, 724 00:41:07,660 --> 00:41:10,909 is this hash function up on the top. So you look at the onion address, 725 00:41:10,909 --> 00:41:13,969 you look at what day it is, the time period, 726 00:41:13,969 --> 00:41:16,090 and other things that are pretty static. 727 00:41:16,090 --> 00:41:18,520 So that’s how both sides can compute 728 00:41:18,520 --> 00:41:20,880 which relays they should go to 729 00:41:20,880 --> 00:41:25,629 when they’re publishing or fetching a descriptor. 730 00:41:27,209 --> 00:41:32,229 George: Okay, so, back to the security issues again. 731 00:41:32,229 --> 00:41:34,289 A few years ago, like 2..3 years ago, 732 00:41:34,289 --> 00:41:36,309 we started looking into Hidden Services 733 00:41:36,309 --> 00:41:38,769 and enumerating the various problems. 734 00:41:38,769 --> 00:41:40,870 Various people wrote papers about 735 00:41:40,870 --> 00:41:43,579 some open issues of security and stuff. 736 00:41:43,579 --> 00:41:47,969 So in 2013 we wrote the first proposal 737 00:41:47,969 --> 00:41:51,179 called next generation Hidden Services, 738 00:41:51,179 --> 00:41:55,100 which basically details various ways for improving security, 739 00:41:55,100 --> 00:41:57,910 better crypto, blah blah blah, blah blah blah. 740 00:41:57,910 --> 00:42:02,210 This happened like 2 years ago, and we still have not been, 741 00:42:02,210 --> 00:42:05,919 we haven’t started heavily developing, because of the lack of, 742 00:42:05,919 --> 00:42:09,480 basically, developers, since Hidden Services have been 743 00:42:09,480 --> 00:42:13,769 largely volunteer-driven projects since like a year ago or so. 744 00:42:13,769 --> 00:42:17,090 So everything was done on our spare time, basically. 745 00:42:17,090 --> 00:42:21,129 But we’ve been writing proposals, 746 00:42:21,129 --> 00:42:23,980 we’ve been active anyway. 747 00:42:23,980 --> 00:42:27,620 We’re going to start looking over the various security issues 748 00:42:27,620 --> 00:42:30,920 and the ways to fix them, let’s say. 749 00:42:30,920 --> 00:42:34,699 The first one, we call it HSDir predictability, 750 00:42:34,699 --> 00:42:38,549 and it touches the subject that Roger mentioned, 751 00:42:38,549 --> 00:42:40,399 the database in the sky, 752 00:42:40,399 --> 00:42:43,400 which is basically that when a Hidden Service… 753 00:42:43,400 --> 00:42:47,270 A Hidden Service every time has 6 Hidden Service directories, 754 00:42:47,270 --> 00:42:51,160 6 relays of the network being responsible for it. 755 00:42:51,160 --> 00:42:54,970 So every day, each Hidden Service has 6 relays 756 00:42:54,970 --> 00:42:57,819 responsible for it, and it chooses it 757 00:42:57,819 --> 00:43:00,789 using this weird hash formula there. 758 00:43:00,789 --> 00:43:04,210 Which, if you can see, it’s deterministic 759 00:43:04,210 --> 00:43:07,239 so all of them are static, apart from time-period 760 00:43:07,239 --> 00:43:09,380 which rotates every day. 761 00:43:09,380 --> 00:43:11,819 But the problem is that, because it’s deterministic, 762 00:43:11,819 --> 00:43:15,720 you can basically plug in the onion address you want 763 00:43:15,720 --> 00:43:17,460 and the time period in the future 764 00:43:17,460 --> 00:43:19,990 and you can basically predict the result of that function, 765 00:43:19,990 --> 00:43:22,209 in like, 2 months from now. 766 00:43:22,209 --> 00:43:24,739 So, you can basically know 767 00:43:24,739 --> 00:43:29,020 which relays will be responsible for a Hidden Service in 2 months 768 00:43:29,020 --> 00:43:32,680 and, if you’re a bad guy, maybe you’ll go and inject yourself to that place 769 00:43:32,680 --> 00:43:36,090 and you will become the HSDir of a Hidden Service 770 00:43:36,090 --> 00:43:39,370 and then you can, like, monitor its activity 771 00:43:39,370 --> 00:43:41,739 or you can do DoS attacks. 772 00:43:41,739 --> 00:43:44,430 So this is not something we like, and 773 00:43:44,430 --> 00:43:47,669 we will attempt to fix it. 774 00:43:47,669 --> 00:43:51,360 Our idea for fixing it is that we will have to make it, 775 00:43:51,360 --> 00:43:54,899 from deterministic, we will have to turn it into probabilistic thing, 776 00:43:54,899 --> 00:43:58,759 and we do this by adding a random value in it. 777 00:43:58,759 --> 00:44:02,149 And this random value is basically a fresh random value 778 00:44:02,149 --> 00:44:05,750 that the network is going to be generating every day. 779 00:44:05,750 --> 00:44:10,559 So, how we do this is we use these 9 directory authorities from the network, 780 00:44:10,559 --> 00:44:13,700 they’re these 9 computers, they’re hardcoded in the source code 781 00:44:13,700 --> 00:44:16,620 and they’re considered semi-trusted. 782 00:44:16,620 --> 00:44:18,809 And basically we wrote the protocol, 783 00:44:18,809 --> 00:44:22,750 that all these 9 directory authorities do a little dance 784 00:44:22,750 --> 00:44:27,829 and in the end of the day, they have a fresh random value every day. 785 00:44:27,829 --> 00:44:31,880 It’s not something new, it uses a commit-and-reveal protocol, 786 00:44:31,880 --> 00:44:35,430 which is some way to do some sort of 787 00:44:35,430 --> 00:44:37,710 distributed random number generation. 788 00:44:37,710 --> 00:44:40,740 And then every day they make this random value, 789 00:44:40,740 --> 00:44:42,210 they put it in the consensus, 790 00:44:42,210 --> 00:44:46,149 and then Hidden Services and Hidden Service users 791 00:44:46,149 --> 00:44:48,300 take the random value from the consensus, 792 00:44:48,300 --> 00:44:50,689 plug it into that formula, and they use it. 793 00:44:50,689 --> 00:44:53,950 And since this is a supposedly secure protocol, 794 00:44:53,950 --> 00:44:57,949 I shouldn’t be able to predict what the random value is going to be in 2 months. 795 00:44:57,949 --> 00:45:00,039 Hence, I cannot go and inject myself 796 00:45:00,039 --> 00:45:03,929 in that position in the database, basically. 797 00:45:03,929 --> 00:45:08,870 And this is the way we fix this problem. 798 00:45:10,810 --> 00:45:15,660 David: Right, continuing now on the next generation Hidden Services. 799 00:45:15,660 --> 00:45:18,320 The key thing is better crypto. 800 00:45:18,320 --> 00:45:21,010 Right know we have RSA-1024 and SHA-1, 801 00:45:21,010 --> 00:45:24,409 which are considered completely bad to use 802 00:45:24,409 --> 00:45:26,079 and we’re going to use of course 803 00:45:26,079 --> 00:45:29,799 this fancy man there’s work, Daniel. 804 00:45:29,799 --> 00:45:34,100 So it’s basically ED25519 for encrypting and signing 805 00:45:34,100 --> 00:45:36,559 and of course, using SHA-256. 806 00:45:36,559 --> 00:45:42,269 Right now, in TOR, we are experimenting an implementation upstream of SHA-3. 807 00:45:42,269 --> 00:45:46,810 Although, apparently, we’re not sure if SHA-256 or SHA-3 will be used, but 808 00:45:46,810 --> 00:45:51,289 right now SHA-256 is a contender because it goes way faster than SHA-3. 809 00:45:51,289 --> 00:45:56,419 SHA-3 has more things. Still pending. But, for now, elliptic curves. 810 00:45:56,419 --> 00:45:59,859 So, what to take of that is: next generation Hidden Services, 811 00:45:59,859 --> 00:46:04,049 which we are actively working on right now, 812 00:46:04,049 --> 00:46:07,769 will drop all dead crypto. 813 00:46:07,769 --> 00:46:09,859 One of the big changes that’s coming up 814 00:46:09,859 --> 00:46:12,689 is the onion addresses. 815 00:46:12,689 --> 00:46:15,859 On top you have the current onion address 816 00:46:15,859 --> 00:46:18,279 and it’s going to move to 52 characters, 817 00:46:18,279 --> 00:46:20,849 so, basically, your public key. 818 00:46:20,849 --> 00:46:24,399 This is maybe for you guys considered painful, 819 00:46:24,399 --> 00:46:26,440 and for us it’s extremely painful 820 00:46:26,440 --> 00:46:30,009 to enter this address or just to type in an address like that, 821 00:46:30,009 --> 00:46:32,200 so, you know, open proposal right now, 822 00:46:32,200 --> 00:46:35,130 or I think there’s an email thread on our mailing list 823 00:46:35,130 --> 00:46:39,140 on coming up with some more fancy way 824 00:46:39,140 --> 00:46:43,630 to remember an onion address that size. 825 00:46:43,630 --> 00:46:48,809 Like, words, remembering words that just mash in together and create that address. 826 00:46:48,809 --> 00:46:51,350 So, yeah. 827 00:46:51,350 --> 00:46:54,719 Now, as the Hidden Service evolves, 828 00:46:54,719 --> 00:46:58,649 one of the things we really want to do is make them faster. 829 00:46:58,649 --> 00:47:01,759 The big difference between Hidden Services in the network 830 00:47:01,759 --> 00:47:04,010 and a normal TOR circuit in the network is that 831 00:47:04,010 --> 00:47:06,190 normal TOR circuits usually have 3 hops, 832 00:47:06,190 --> 00:47:08,280 then in Hidden Services you have 3 hops from the client 833 00:47:08,280 --> 00:47:12,060 and 3 hops from the Service. Thus you have 6 hops. 834 00:47:12,060 --> 00:47:16,479 So of course much more time to go through all the relays 835 00:47:16,479 --> 00:47:19,899 than the normal circuit. Now we have this proposal going on which is 836 00:47:19,899 --> 00:47:24,150 Rendezvous Single Onion Services. And the point is, you’re gonna do the dance, 837 00:47:24,150 --> 00:47:28,410 the introduction, the rendezvous, and then once you go to the rendezvous, 838 00:47:28,410 --> 00:47:32,529 instead of the service going 3 hops, you’re gonna go 1 hop to the service. 839 00:47:32,529 --> 00:47:37,550 So in here we have this artist wanting to update their Debian machine, 840 00:47:37,550 --> 00:47:41,211 let’s say that, and the Debian server doesn’t care really much 841 00:47:41,211 --> 00:47:44,080 about anonymity, because we know where the Debian servers are, 842 00:47:44,080 --> 00:47:48,489 and that’s fine. Thus, clients still have anonymity with the 3 hops, 843 00:47:48,489 --> 00:47:53,479 then the service doesn’t care, so only 1 hop. And it goes way faster. 844 00:47:53,479 --> 00:47:58,160 So that’s something we hopefully will end up deploying soon. 845 00:47:58,160 --> 00:48:01,899 Now, the second one is the Single Onion Service. It’s roughly the same, 846 00:48:01,899 --> 00:48:07,430 so we have this chef here wanting to go to his Fairtrade website, you know, whatever, 847 00:48:07,430 --> 00:48:11,929 and the difference here is that we are going to skip completely 848 00:48:11,929 --> 00:48:14,790 the introduction and rendezvous dance. 849 00:48:14,790 --> 00:48:17,979 And you’re going to do a 3 hop circuit to a rendezvous point 850 00:48:17,979 --> 00:48:23,799 where the Hidden Service, let’s say, let’s call it a node, 851 00:48:23,799 --> 00:48:27,129 an introduction point, which is the yellow line, 852 00:48:27,129 --> 00:48:29,849 and then the client will go to that introduction point, 853 00:48:29,849 --> 00:48:32,999 and instead of having this current dance 854 00:48:32,999 --> 00:48:35,399 the client extends to the service. 855 00:48:35,399 --> 00:48:38,240 And now we have a 3 hop thing, 856 00:48:38,240 --> 00:48:43,279 no prior work being done for introduction or rendezvous, 857 00:48:43,279 --> 00:48:44,729 and it goes way faster. 858 00:48:44,729 --> 00:48:48,619 Again, those 2 here and here 859 00:48:48,619 --> 00:48:54,209 are optimization for services that do not care about anonymity. 860 00:48:54,209 --> 00:48:58,190 And there are plenty of use cases for that. Facebook, for instance, 861 00:48:58,190 --> 00:49:01,820 or Debian repositories, and so on. 862 00:49:01,820 --> 00:49:04,840 Roger: Am I still on? Great. Facebook and Debian are really excited about 863 00:49:04,840 --> 00:49:09,229 having one of these options so that they can have all of their users 864 00:49:09,229 --> 00:49:12,859 reach their service with all the cool security properties we talked about 865 00:49:12,859 --> 00:49:16,049 but also a lot faster and more scalable 866 00:49:16,049 --> 00:49:19,239 than the current design. 867 00:49:19,239 --> 00:49:23,589 David: Precisely. So, one of the very cool things we did this summer 868 00:49:23,589 --> 00:49:27,929 was the TOR summer of privacy. We got some people in, 869 00:49:27,929 --> 00:49:31,630 which we can consider interns or students whatever, 870 00:49:31,630 --> 00:49:37,920 and one of these projects – that came out of this cool person that is Donncha – 871 00:49:37,920 --> 00:49:42,070 created OnionBalance. So it’s a way of load-balancing Hidden Services. 872 00:49:42,070 --> 00:49:45,649 So as you create a Hidden Service with the top key, 873 00:49:45,649 --> 00:49:48,360 then you copy that key to multiple machines 874 00:49:48,360 --> 00:49:51,659 so all those servers will start creating a descriptor. 875 00:49:51,659 --> 00:49:55,859 Basically the descriptor, if you can remember, is how to reach me. 876 00:49:55,859 --> 00:50:00,080 And we’re going to cherry-pick introduction points from each 877 00:50:00,080 --> 00:50:03,949 and create a master descriptor that you can see in that picture; 878 00:50:03,949 --> 00:50:06,709 and that master descriptor is (?) what clients will use. 879 00:50:06,709 --> 00:50:08,499 Thus you load-balance the network 880 00:50:08,499 --> 00:50:11,629 depending on introduction points and the instance. 881 00:50:11,629 --> 00:50:13,639 And this is great! And we actually know 882 00:50:13,639 --> 00:50:17,559 that Facebook will actively start beta-testing this thing 883 00:50:17,559 --> 00:50:20,950 so we can have load-balancing and CDNs 884 00:50:20,950 --> 00:50:26,620 and much more easier for onion addresses. 885 00:50:26,620 --> 00:50:30,440 So, just before I give these slides to Roger, 886 00:50:30,440 --> 00:50:33,109 the next generation Onion Services is something 887 00:50:33,109 --> 00:50:35,429 that has been around for 2 years now 888 00:50:35,429 --> 00:50:39,559 and now we’re going to start working in 2016 actively, 889 00:50:39,559 --> 00:50:42,720 and almost with 4 full-time developers on that. 890 00:50:42,720 --> 00:50:45,889 It’s still not enough, we need more… we need resources because we need to get away 891 00:50:45,889 --> 00:50:49,099 from our funding that restricts us for not working on Onion Services 892 00:50:49,099 --> 00:50:52,180 which we have a bit now. So resources is very, very important 893 00:50:52,180 --> 00:50:54,729 so we can get this thing that’s extremely important. 894 00:50:54,729 --> 00:50:59,750 And in the next year, we hope to get this thing here done. 895 00:50:59,750 --> 00:51:06,749 *applause* 896 00:51:07,319 --> 00:51:10,580 Roger: Great, so there are a couple of important takeaways from 897 00:51:10,580 --> 00:51:12,619 what we’ve been describing to you today. 898 00:51:12,619 --> 00:51:15,929 One big one is, there are a lot of 899 00:51:15,929 --> 00:51:17,890 different types of Onion Services out there. 900 00:51:17,890 --> 00:51:19,689 There are a lot more than people think. 901 00:51:19,689 --> 00:51:22,639 Everybody looks at Hidden Services and says: “Oh, 902 00:51:22,639 --> 00:51:25,970 they’re for websites that the government hates” or something like that. 903 00:51:25,970 --> 00:51:30,080 But there are examples like Ricochet, like Facebook, 904 00:51:30,080 --> 00:51:32,290 like GlobaLeaks, like SecureDrop. 905 00:51:32,290 --> 00:51:34,659 All of these different examples are 906 00:51:34,659 --> 00:51:38,290 cool things you can do with better security properties 907 00:51:38,290 --> 00:51:42,710 for your communication. So it’s not about hiding where the website is, 908 00:51:42,710 --> 00:51:44,970 it’s about getting more secure ways 909 00:51:44,970 --> 00:51:48,529 of reaching websites and other services around the world. 910 00:51:48,529 --> 00:51:52,799 So another key point: this is still a tiny fraction of the overall TOR network. 911 00:51:52,799 --> 00:51:55,339 We have millions of people using TOR every day, 912 00:51:55,339 --> 00:51:59,169 and something like 5% of the traffic through the TOR network 913 00:51:59,169 --> 00:52:02,050 is Hidden-Service, or Onion-Service related. 914 00:52:02,050 --> 00:52:04,769 So it was 3% last year, it’s 5% now, 915 00:52:04,769 --> 00:52:08,289 it’s going up, sounds good, but it’s still a tiny fraction. 916 00:52:08,289 --> 00:52:12,270 And maybe that’s good, because when you’re using an Onion Service right now, 917 00:52:12,270 --> 00:52:14,270 you put double load on the TOR network, 918 00:52:14,270 --> 00:52:17,269 because both sides add their own circuit. 919 00:52:17,269 --> 00:52:20,959 Whereas if we switch to some of these designs that David was talking about, 920 00:52:20,959 --> 00:52:24,100 then it will be much more scalable and much more efficient 921 00:52:24,100 --> 00:52:28,780 and it would be really cool to have Amazon, and Facebook, 922 00:52:28,780 --> 00:52:32,009 and Twitter, and Wikipedia, and so on, 923 00:52:32,009 --> 00:52:36,780 all allowing people to get more security, while using TOR, 924 00:52:36,780 --> 00:52:41,989 while protecting places like Facebook from learning where they are today. 925 00:52:41,989 --> 00:52:45,869 Another key point, we got all these cool designs that we touched on briefly, 926 00:52:45,869 --> 00:52:48,939 we’d be happy to tell you more about them after the talk, 927 00:52:48,939 --> 00:52:52,629 and then the last point: You run a cool service out there, 928 00:52:52,629 --> 00:52:55,000 please set up an onion version of it, 929 00:52:55,000 --> 00:52:57,749 please set up an onion address for your cool service, 930 00:52:57,749 --> 00:53:01,490 so that the typical average onion service in the world 931 00:53:01,490 --> 00:53:04,989 becomes a totally normal website or other service 932 00:53:04,989 --> 00:53:09,449 that totally ordinary people go to. And that’s how we will mainstream this thing 933 00:53:09,449 --> 00:53:11,699 and take over the world. 934 00:53:11,699 --> 00:53:18,699 *applause* 935 00:53:18,699 --> 00:53:22,359 *applause* 936 00:53:22,359 --> 00:53:24,350 And then, as a final point, 937 00:53:24,350 --> 00:53:27,450 we are in the middle of our first ever donation campaign. 938 00:53:27,450 --> 00:53:30,219 We are actually trying to grow 939 00:53:30,219 --> 00:53:32,670 a base of people who want to support TOR 940 00:53:32,670 --> 00:53:35,170 in the same way that EFF has done. 941 00:53:35,170 --> 00:53:38,679 So it would be wonderful… I don’t want to throw away all of our Government funders, 942 00:53:38,679 --> 00:53:41,349 at least not right now, but I would like to get to the point 943 00:53:41,349 --> 00:53:44,789 where we have other options, more sustainability, 944 00:53:44,789 --> 00:53:47,529 and we don’t have to look at each new funding proposal 945 00:53:47,529 --> 00:53:50,600 and wonder if we have to un-fund people if we don’t get it. 946 00:53:50,600 --> 00:53:53,200 So I’d love to have much more diversity 947 00:53:53,200 --> 00:53:56,370 in the type of people who are helping TOR to exist 948 00:53:56,370 --> 00:53:59,040 and thrive and help save the world. 949 00:53:59,040 --> 00:54:01,030 So, please consider helping. 950 00:54:01,030 --> 00:54:07,779 *applause* 951 00:54:07,779 --> 00:54:11,669 Herald: Thanks a lot for this awesome talk, we have 6 minutes left for questions 952 00:54:11,669 --> 00:54:13,639 and please line up at the microphones 953 00:54:13,639 --> 00:54:17,069 1, 2, 3, 4, 5, and 6 down here. 954 00:54:17,069 --> 00:54:19,140 And while you are doing that, 955 00:54:19,140 --> 00:54:21,569 we would like to hear a question from the Internet. 956 00:54:21,569 --> 00:54:24,449 Signal Angel: Thank you. I have a bunch of questions regarding 957 00:54:24,449 --> 00:54:27,640 compromised onion addresses. Herald: Start with one. 958 00:54:27,640 --> 00:54:30,680 Signal: Do we have a kind of evil twin problem 959 00:54:30,680 --> 00:54:35,760 and what can I do if my onion address is compromised? 960 00:54:35,760 --> 00:54:37,999 When there are widespread services 961 00:54:37,999 --> 00:54:41,829 on the TOR net, like Amazon, 962 00:54:41,829 --> 00:54:45,639 how do I know which one is the official service? 963 00:54:45,639 --> 00:54:47,249 Roger: So the first question, of, 964 00:54:47,249 --> 00:54:51,419 if your onion key gets stolen or something like that, 965 00:54:51,419 --> 00:54:54,089 that’s the same as the SSL problem. 966 00:54:54,089 --> 00:54:57,270 How do you keep your certificate for your web server safe? 967 00:54:57,270 --> 00:55:00,750 The answer is: you should keep it safe just like you keep everything else safe. 968 00:55:00,750 --> 00:55:05,170 And if somebody gets the key for your onion address, sucks to be you. 969 00:55:05,170 --> 00:55:07,579 Don’t let them do that. For the second question, 970 00:55:07,579 --> 00:55:10,890 how do you know that a given onion address is Amazon’s? 971 00:55:10,890 --> 00:55:13,469 That ties into the certificate authority, 972 00:55:13,469 --> 00:55:17,940 the https, the EV cert discussion that we talked about 973 00:55:17,940 --> 00:55:23,440 where we need to somehow bind in Amazon’s SSL certificate 974 00:55:23,440 --> 00:55:27,529 the fact that it’s Amazon, and this is their alternate onion address. 975 00:55:27,529 --> 00:55:30,070 We need to put those in the same certificate, 976 00:55:30,070 --> 00:55:32,250 so that everybody knows if you’re getting one 977 00:55:32,250 --> 00:55:35,219 then you know it’s really Amazon. 978 00:55:35,219 --> 00:55:38,729 H: Thank you. I would like to hear the question from microphone 1 979 00:55:38,729 --> 00:55:41,430 and remember to keep it short and concise. 980 00:55:41,430 --> 00:55:43,589 Q: Again, the addressing issue, 981 00:55:43,589 --> 00:55:47,240 switching from 16 to 52 characters is nice 982 00:55:47,240 --> 00:55:52,389 but if we have to change the algorithm again 983 00:55:52,389 --> 00:55:54,960 wouldn't it be nice to have, like, a prefix 984 00:55:54,960 --> 00:55:59,549 to determine the algorithm for the address? 985 00:55:59,549 --> 00:56:02,299 Roger: Yes, we actually have a couple of extra bits 986 00:56:02,299 --> 00:56:05,070 in that 52 bytes and we could use them 987 00:56:05,070 --> 00:56:07,280 for versioning or all sorts of things. 988 00:56:07,280 --> 00:56:10,529 And there are some examples of that in the proposals, 989 00:56:10,529 --> 00:56:13,210 I don’t think we’ve fixed on any answer yet. 990 00:56:13,210 --> 00:56:16,789 So, we’d love to have your help. 991 00:56:16,789 --> 00:56:19,919 H: Thank you. Please, microphone number 3. 992 00:56:19,919 --> 00:56:22,479 Q: Hey, you gave us a couple of examples 993 00:56:22,479 --> 00:56:24,980 from Facebook, and I was just wondering 994 00:56:24,980 --> 00:56:28,349 if there’s any sort of affiliation between 995 00:56:28,349 --> 00:56:31,759 Facebook and TOR, or Facebook just happens to be really keen 996 00:56:31,759 --> 00:56:36,840 on offering their services in less democratic jurisdictions? 997 00:56:36,840 --> 00:56:39,279 Roger: There’s a nice guy named Alec up here, 998 00:56:39,279 --> 00:56:43,400 who on his own thought of making Facebook more secure using TOR, 999 00:56:43,400 --> 00:56:46,489 and he went and did it, and then we realized that he was right, 1000 00:56:46,489 --> 00:56:49,119 so we’ve been trying to help him ever since. 1001 00:56:49,119 --> 00:56:53,030 *applause* 1002 00:56:53,030 --> 00:56:57,599 H: Thanks a lot. Microphone number 4. 1003 00:56:57,599 --> 00:57:00,779 Q: You said that you want more and more people 1004 00:57:00,779 --> 00:57:03,999 to run Hidden Services. 1005 00:57:03,999 --> 00:57:06,349 My question for this is, 1006 00:57:06,349 --> 00:57:09,630 are there any guidelines on how to do that? 1007 00:57:09,630 --> 00:57:12,680 Examples of how to do it with specific services? 1008 00:57:12,680 --> 00:57:16,850 Because from what I’ve seen, I tried doing this for some of the services I run, 1009 00:57:16,850 --> 00:57:20,839 that it’s not… it’s painful, most of the time. 1010 00:57:20,839 --> 00:57:23,809 And with the increase of the addresses right now, 1011 00:57:23,809 --> 00:57:28,200 the size of the addresses is going to become more and more painful. And 1012 00:57:28,200 --> 00:57:32,230 one of the things that I’d love to see for release, 1013 00:57:32,230 --> 00:57:35,639 for example, a DNS record type that’s .onion 1014 00:57:35,639 --> 00:57:40,030 that you can add for your normal DNS record 1015 00:57:40,030 --> 00:57:43,029 so people can just look into that and 1016 00:57:43,029 --> 00:57:46,779 choose between A, AAA, and onion to connect to it. 1017 00:57:46,779 --> 00:57:49,259 Roger: Yeah. For that last one, for the DNS side, 1018 00:57:49,259 --> 00:57:52,339 if we have DNSSEC, thumbs up. 1019 00:57:52,339 --> 00:57:54,829 If we don’t have DNSSEC, I don’t want to have 1020 00:57:54,829 --> 00:57:58,990 that terrible security link as one of the first steps. 1021 00:57:58,990 --> 00:58:01,429 I don’t want to trust the local DNS resolver 1022 00:58:01,429 --> 00:58:03,080 to tell me I can go somewhere else 1023 00:58:03,080 --> 00:58:05,879 and then after that, if I get the right address, I’m safe. 1024 00:58:05,879 --> 00:58:07,690 That sounds terrible. 1025 00:58:07,690 --> 00:58:12,139 George: So, on how to set up Hidden Services correctly, 1026 00:58:12,139 --> 00:58:16,010 I think Riseup recently published some sort of guidelines 1027 00:58:16,010 --> 00:58:19,959 with various ways you can tweak it and make it more secure. 1028 00:58:19,959 --> 00:58:23,479 I think there are also some on the TOR Wiki. 1029 00:58:23,479 --> 00:58:26,799 But in general you’re right that there are various ways you can mess up this thing 1030 00:58:26,799 --> 00:58:29,689 and it’s not super easy for anyone here 1031 00:58:29,689 --> 00:58:33,000 to set up a Hidden Service right now, 1032 00:58:33,000 --> 00:58:35,309 and hopefully in the future we will be able 1033 00:58:35,309 --> 00:58:38,750 to have an easier way for people to set up Hidden Services, 1034 00:58:38,750 --> 00:58:41,919 maybe provide a bundle that you double-click 1035 00:58:41,919 --> 00:58:45,499 and it spawns up a blog, or a Docker image, 1036 00:58:45,499 --> 00:58:49,660 I don’t know. It’s still one of the things we really need to look into. 1037 00:58:49,660 --> 00:58:52,900 Roger: It would be really cool to have a server version of Tails 1038 00:58:52,900 --> 00:58:56,449 that has all of this built in with a, like, Python web server 1039 00:58:56,449 --> 00:59:00,469 that’s hard to break into and automatically configured safely. 1040 00:59:00,469 --> 00:59:03,780 That would be something that would make a lot of people able to do this 1041 00:59:03,780 --> 00:59:07,619 more conveniently and not screw up when they’re doing it. 1042 00:59:07,619 --> 00:59:13,150 H: Okay! *applause* 1043 00:59:13,150 --> 00:59:16,859 So we have a bit of less than 1 minute left, so I would say “Last question” 1044 00:59:16,859 --> 00:59:19,989 and let’s say microphone number 3 for that. 1045 00:59:19,989 --> 00:59:22,579 Q: Hello, I have two small questions. H: No, one. 1046 00:59:22,579 --> 00:59:24,799 Q: One, okay. *laughter* 1047 00:59:24,799 --> 00:59:27,550 So, I noticed you have some semi-trusted 1048 00:59:27,550 --> 00:59:30,589 assumptions for the random number generation 1049 00:59:30,589 --> 00:59:33,400 for your relays. Did you consider, 1050 00:59:33,400 --> 00:59:36,650 or do you think there’s some merit in using the Bitcoin blockchain 1051 00:59:36,650 --> 00:59:38,999 to generate randomness? 1052 00:59:38,999 --> 00:59:42,140 George: We considered it. We considered using the Bitcoin blockchain, 1053 00:59:42,140 --> 00:59:47,169 the NIST beacon, all these things, but there are various engineering issues 1054 00:59:47,169 --> 00:59:51,490 like to use the blockchain thing you need to have 2 verified Merkle trees. 1055 00:59:51,490 --> 00:59:54,110 This needs to be coded on the TOR codebase. 1056 00:59:54,110 --> 00:59:57,639 You also depend on Bitcoin, which is a system quite powerful to be honest, 1057 00:59:57,639 --> 01:00:02,160 but you probably don’t want to depend on outside systems, so… 1058 01:00:02,160 --> 01:00:04,459 We really considered it, though. 1059 01:00:04,459 --> 01:00:06,280 Q: Thank you. 1060 01:00:06,280 --> 01:00:09,199 H: Thanks a lot for this Q&A, I think you will… 1061 01:00:09,199 --> 01:00:13,540 *applause* 1062 01:00:13,540 --> 01:00:17,270 *applause* 1063 01:00:17,270 --> 01:00:21,280 I think you will stick around and be available for another question-and-answer, 1064 01:00:21,280 --> 01:00:24,530 more personal, after the next upcoming talk, which is 1065 01:00:24,530 --> 01:00:27,628 “State of the Onion”, in 15 minutes. 1066 01:00:27,628 --> 01:00:32,981 *postroll music* 1067 01:00:32,981 --> 01:00:37,831 Subtitles created by c3subtitles.de in 2016. Join and help us do more!