Ephemeral Onions

Decentralized transitory Uses of the

               network 

hiro@torproject.org

https://mastodon.social/@nopressure

https://twitter.com/nopressure

Hi! 👋

Hi, I am silvia..

  • Some known me as Hiro.
  • I work at the Tor Project.
  • I am also part of the Information Security Group in the Department of Telematics Engineering at UPC-Barcelona where I got my Ph.D.

Let's talk about anonymity .

 

I am going to tell you a short story ...

What is        and

what it can do for you

Tor is a privacy tool

  • Tor is free software.
  • Tor is a community made up of a diverse group of developers, researchers, relay operators, volunteers.
  • Tor is an open network.
  • Tor is a non-profit.

What does Tor do?

  • Tor provides privacy.
  • Tor provides anonymity.
  • Tor provides communication security.
  • Tor provides a traffic analysis resistant communication network.
  • Tor provides reachability against censorship.

How does        provide Privacy and Anonymity?

Privacy by design

Tor provides privacy by distributing TRUST

Privacy by design

When you use a VPN you are trusting a single node

🖥️

💻

Alice

bob.com

Privacy by design

When you use a VPN you are trusting a single node

💻

Alice

bob.com

👾

👾

👾

🖥️

How Tor works

Alice wants to talk to some Bob. Alice also wants to stay safe.

💻

Alice's Tor client obtains a list of Tor nodes from a directory server and picks a random path to destination server.

Alice

bob.com

DS

🖥️

🖥️

🖥️

🖥️

How Tor works

How does it work in practice?

How Tor works

How does it work in practice?

Anonymity > Encryption

Anonymity > Encryption

  •     Encryption doesn't hide conversations metadata
    • how long you talk, how often ...
  •     Encryption doesn't hide your social graph
    • the people you talk to ...
  •     Encryption doesn't hide network metadata
    • network addresses, traffic patterns ...
  •     Encryption doesn't hide your location
    • location services, geo-coding ...

Using         at the app layer:

Tor Browser

What is Tor Browser

Tor Browser is a modified Firefox ESR.

Tor Browser Packages:

  • Tor, Torbutton,

  • TorLauncher,

  • NoScript,

  • and HTTPS-Everywhere.

Why Tor makes a browser

Tor browser is designed to:

  • Ensure the safe use of Tor.
  • Reduce linkability of user activities on different websites.

Onion Services

Providing bidirectional anonymity

Onion Services

  • Onion services can be started from your computer

  • Onion services are p2p

  • Onion services are decentralised

  • Onion services have a smaller attack surface

  • Onion services provide by-directional anonymity

  • Onion services addresses are 54 chars public keys [ed|curve25519 - Keccak(SHA3)]

Bob is an onion service and Alice a Tor Browser user.

Bob picks 3 introduction points and builds a circuit.

💻

Alice

bob.onion

Bob picks some introduction points and builds a circuit to them...

🖥️

🖥️

🖥️

How Onion Services work

Bob builds a descriptor and uploads it to the directory

Bob picks some introduction points and builds a circuit to them, then advertises its service at the database...

DS

💻

Alice

bob.onion

🖥️

🖥️

🖥️

🖥️

How Onion Services work

Alice fetches the descriptor from the directory and learns how to reach Bob.

Alice hears that bob.onion exists and they request more info from the database. They also setup a rendezvous point.

DS

💻

Alice

bob.onion

🖥️

🖥️

🖥️

🖥️

How Onion Services work

Alice tells Bob to meet her at the rendezvous point.

Alice writes a message to Bob listing the rendezvous point and a one time secret, and asks an introduction point to deliver it to Bob.

💻

Alice

bob.onion

🖥️

🖥️

🖥️

How Onion Services work

Bob connects to Alice's rendezvous point and provides their one-time secret.

💻

Alice

bob.onion

🖥️

🖥️

🖥️

How Onion Services work

Both Alice and Bob connect with a 3 hops circuit to the RP.

Bob and Alice use their circuit normally.

💻

Alice

bob.onion

🖥️

🖥️

🖥️

Using Tor within other applications through onion services.

Tor ecosystem

SSH onion-services

ssh:
  container_name: onion_ssh
  hostname: onion_ssh
  build: ${PWD}/config/ssh
  command: /home/root/init.sh
  volumes:
    - ./config/ssh/tor/torrc:/etc/tor/torrc
    - ./config/ssh/keys/:/home/root/.ssh/keys
    - ./config/ssh/init.sh:/home/root/init.sh
    - ./config/ssh/sshd_config:/home/root/.ssh/ssh/sshd_config
  ports:
    - "2222:22"
FROM debian
MAINTAINER hiro <hiro@torproject.org>
RUN apt-get update
RUN apt-get install -y sudo vim openssh-server tor 
USER root
RUN mkdir -p 700 /home/root/.ssh \
    && mkdir /var/run/sshd \
    && mv /etc/ssh /home/root/.ssh/ssh \
    && ln -s /home/root/.ssh/ssh /etc/ssh
WORKDIR /home/root
VOLUME /home/root
EXPOSE 22

SSH onion-services

## /etc/torcc
##
############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

HiddenServiceDir /home/tor/onion_ssh_service/
HiddenServicePort 22 127.0.0.1:22

TorSOCKS

$ torsocks ssh hiro@yjuwkcxlgo7f7o6s.onion

$ torsocks curl http://yjuwkcxlgo7f7o6s.onion/

Using the Socks5 Proxy

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

import requests

proxies = {
    'http': 'socks5://127.0.0.1:9050', 
    'https': 'socks5://127.0.0.1:9050'
}

r = requests.get('http://yjuwkcxlgo7f7o6s.onion/', proxies=proxies)

  • We can use the SOCKS5 proxy provided by tor
  • In this example, we fetch archive.torproject.org via its onion address

Onions for the

decentralised weB

Onion services can also be used for p2p applications:

  • OnionShare is a file sharing app that works by starting a web server, making it accessible as a Tor Onion Service, and generating an unguessable URL to access and download the files.
    • https://onionshare.org

NEXT STEP

Use Onionshare to share static websites.

Onions for the

decentralised weB

MyOnion is a proof of concept to run onion services into docker containers from your command line, via cli, or more simply via gui.

This project explore the idea of running ephemeral onion services on the Tor network.

https://github.com/hiromipaw/myonion/

NEXT STEP

Start a container from any device and share any kind of service and make this as easy as opening an app!

Onions for the

decentralised weB

api_client = docker.APIClient(base_url='unix://var/run/docker.sock')

client = docker.from_env()

build = [line for line in 
api_client.build(
path=self.common.get_resource_path('containers/website'), tag='website', dockerfile='./Dockerfile'
)

]

container = client.containers.run('website:latest', detach=True)

Onions for the

decentralised weB

FROM debian

RUN \
    apt-get update && \
    apt-get install -y nginx tor && \
    rm -rf /var/lib/apt/lists/* && \
    echo "\ndaemon off;" >> /etc/nginx/nginx.conf && \
    chown -R www-data:www-data /var/lib/nginx

COPY tor/torrc /etc/tor

COPY default /etc/nginx/sites-available/

...

Onions for the

decentralised weB

Because .onion services live on the Tor network, you do not need hosting or a public ip address to offer some service via .onion address.

 

This means .onion services are a gateway to a decentralised, peer-to-peer internet, where you regain control on the content you create and who you are sharing it with.

Onions for the

decentralised weB

The .onion is hosted on your computer for the time you desire, allowing the people visiting your site to remain anonymous, and also you.

 

We believe anonymity to be very important since it can free people, allowing them to decide how to expose themselves or to make themselves visible on their own terms.

When our privacy is stolen, so is our right to control our own narrative...
The End of Trust - McSweeney's 54

Learn more...

Made with Slides.com