 So, the purpose of this presentation today is to talk about some different options for Internet privacy. So, like I said, the Internet is a public communications network. From the perspective of the users, we don't own the network. Other people own it. So, from our perspective, it's public. Other people control it. Therefore, when we want to communicate in a private manner, we need some special techniques. So, we'll look at some of those techniques in this topic. Okay. So, these slides are available on the ICT website. So, if you haven't taken my courses, then you can find under the address, ICT.sittu.acth.moodle, information from my courses. And if you follow some links, you'll find the slides for this presentation, so you can have it on your own computer. You know WSIT Wi-Fi, so you can access that. If you want to access without logging in, then you can use this access point, which is named VPN test, but be careful we're going to play with it later. We may intercept your traffic, but not yet. So, these slides are available. There are a number of acronyms and abbreviations that we'll mention, and sometimes I will not explain them. So, just have this slide handy in front of you if you, if I say something, you don't know what it means. I'll introduce them as we see them, if I remember. Sorry. So, let's get started. First, we need to give some background. What do we understand as the Internet? And there are many different interpretations from technical people and from just normal users. Well, I think of the Internet as a network, a communications network, a computer network. It's a collection of individual computer networks all connected together. So, we have one computer network connecting to this Wi-Fi, so think of this as one small network, and there's another one which is connecting from across this campus, and another one across the different faculties inside Tamasat. And they all connect together, welcome. And then across the globe, we all connect those component networks together to get this large network called the Internet. How do we connect them together? Well, the devices we normally connect different subnetworks together are routers, and the common thing amongst those routing devices and your computers, called hosts, is that they all use the Internet protocol. So, that's maybe from a technical perspective, if someone says, what is the Internet? That's one basic definition. So, collection of many networks. Sometimes we can distinguish between those different networks as the networks that the end users like you and I access the Internet, so the access networks, so this, let's say, the LAN inside SIT is how we access the Internet. At home, you access the Internet via maybe your wireless router and your ADSL connection, so part of an access network or maybe via your mobile phone. And then all of those networks are then connected to larger networks, which we as end users don't usually see or use, unless you're working in a company that maybe deals with them, and maybe we can refer to them as the core networks. So, usually run by Internet service providers and telecom companies, which go across Thailand and between countries and so on. So that's the technical, what is the Internet? But when you ask my parents what is the Internet, they say, oh, accessing Facebook or accessing a website, okay, web browsing. That's what some people interpret the Internet. So the applications are important, and web browsing is the primary application that is used in the Internet, but of course there are many others. Web browsing, email, instant messaging, these are just the common ones, then all the very specific niche applications. So there's the network, and then there's the applications. We want to focus on the basic structure of the network, because that's important to know why are your communications not private. And then with respect to applications, we're going to focus on web browsing, okay. There are many others, but we're just going to focus on web browsing, because that's what we use mostly today. The others will be outside of the scope. So what I want to do in the next slides is give some structure of the Internet, and then how web browsing works. So here's a viewpoint of the Internet from the perspective of, say, you, your computer, here you are on your laptop, and you access a website. So now when we talk about the Internet, let's use the application of web browsing. There's a web server, and I think most of you will know that the way that web browsing works is that there's a computer, which is the server, which hosts some files, some web pages, and there's your computer running a web browser that sends a request to that server for some files, and the web server sends back those files to your browser, and your browser displays them. So two computers involved, your computer and the web server, and we'll shorten them as you and S. And there's the Internet, okay? This magic network that connects somehow you to, say, a Facebook web server in the US. That's a very high view of the Internet come in, why is my pointer not working? This is a, if we look at that cloud in a bit more detail, so this cloud here means it represents a large network, which may be many different networks. So if we zoom in on that cloud, what do we see? As an example, I've tried to capture some things we may see here. That is, what is between your computer and the web server? So we can break it up into different parts. And this will set up our Internet structure for this presentation. So we'll use, as an example, you at, maybe, home. Maybe you have an ADSL connection or a fiber connection at home, or maybe you're using a Wi-Fi somewhere, but you have home Internet access. So you're on your computer. Usually at home, how do you connect and go out to the public Internet examples? What do you do for your Internet access? Home may be at the dorm, or maybe at a house, wherever. Cable. So your computer connects to what device? Your laptop, say. Nothing. What do you use, Wi-Fi or a wired LAN? Okay, so if you're using wireless LAN, your computer, when I say connects to, sends some data to, what, a wireless router, one of these devices, or similar. But you own this wireless router? At home? Yes. Usually, say, at home, your computer, your laptop, and usually you have some that I call it a router, an ADSL router, a wireless router, maybe a cable modem router, that is yours or is your ISPs and they give it to you for some small price. And you connect to that either wirelessly or via some LAN cable, that's the typical approach. You connect to some router. This circle here represents your home router. And then that router then has a further connection out to the ISPs network. So if it's an ADSL router, and we don't have one, do we, no, if it's an ADSL router, this is not, but if you imagine it is, your computer connects into this and then this one has a telephone line going into the socket on the wall, which then goes into the telephone network and out to your ISP. If it's a cable modem router, what does it look like? I don't know. I don't have one. It's the same. Except it's a different cable. Okay, so if you're using cable internet, then again, you have a device like this, and you connect into this, and this has a coaxial cable going from that into the wall, from your home's perspective. If you're using, well, they're the two main options, aren't they? Then you may be using Wi-Fi provided by some operator, some ISP, or maybe you're using your mobile phone, 3G. Well, that's a little bit different, but you can think, okay, you connect to the base station, which then goes into some router, but that's a bit more complex. Here's our home router. That connects to your ISP's network, your internet service provider's network. I draw that as the second circle is the router. We haven't said what a router is yet, but the router of your ISP. You don't usually see that. It's somewhere in their building. Now, what is this? Sorry, I haven't got control of this. This cable here, maybe it's your ADSL telephone network, maybe it's a cable modem, but there's some connection between your home router and your ISP's router. That ISP may have a network across Thailand, and you want to access a web server in the US. How do you get your data from your computer to that web server? You send it to your local home wireless router, which then sends it to your ISP's network to their router. Maybe they have another one to send it to, and the way the internet is structured is that each internet service provider usually then connects to other internet service providers. The structure inside Thailand is that usually the local internet service providers all connect into one of several central exchanges that then go outside the country. Exchanges operated by who? Cat, TOT, True, and a few others like that, ADC and others. The way the internet works here is that from home I connect to my home router. My home router goes to my ISP's network, which is TOT, goes through their network, goes to some central exchange in Bangkok, which then has a cable or a link that goes out to Singapore or Tokyo or wherever, whichever other country. The way that I'm representing that here is that these circles are what I'll call routers, but devices that connect different networks, and your ISP then connects into a second ISP, so I just denote ISPX here, some ISP, which connects to another ISP, and there may be many along the way. Eventually it goes to an ISP in the US, ISPY, and then they connect into Facebook's network if I'm trying to access Facebook's US web server, which then connects into Facebook's network here and their router, and eventually there's a computer in Facebook's network which hosts their website, and my data gets to that computer. FWU is a firewall, FWU is a firewall, which we'll come to in a moment, ignore that for a moment, imagine that's not there, just look at the circles. So you're actually cutting out the service provider side of the US that you have a link from Asia. But yes, so the number of ISPs, so I've generally called them ISPs, but the number of different networks we go between your computer and the web server may be different in many different cases. In the case that you're talking about, you're saying that it's almost, you just go through one or two operators, me to TOT, and then TOT to Tokyo is one, yeah. But in that case, yeah, think of them as these routers, those internet exchanges are those routers. But the point is, and the point raised there is, this is just an example. I say that there's your home, your ISP, ISPX, ISPY, the web server. In general, in the internet, we don't know how many internet service providers are between you and the web server. It may vary. As the end users, we usually don't care about that. In all of this, from my perspective, sending through any of these internet service providers, and that's what we want to focus on privacy, sending through any of these internet service providers, I don't trust anyone. I don't care whether it's the largest company in the world or someone's home small one person startup company running that ISP, from the perspective of my data, which comes out of my computer, is going to a web server that let's say I do trust, my bank website, all those intermediate devices, or except for the ones in my home, I can trust the one in my home, but all the other intermediate devices, these routers, internet service providers, internet exchanges, don't trust any of them. So you worked for an ISP, effectively. Dana used to work for one of these companies. He'd sit at this router. He's the admin. He works for the company. He'd sit there and plug his computer in, and he monitored everyone's traffic. I don't know if he did that, but he could potentially see everyone's data going through that device, with the exception of what we're talking about today, the encrypted stuff. So that's why I say don't trust any of these intermediate devices. Whoever operates those devices has physical access and can see the data going through it. That's what we want to look at today. How do we stop that? There's a lot of technical details. I abstract from many details here because we don't really need them, but if you don't understand all of this, understand that between you and the web server, you send your data via multiple internet service providers via these devices called routers, and I'll denote them as circles. So you send your data to the first router, which sends it onto the next one and so on until it gets to the server, and then the server sends back a reply usually along the same path. Tomorrow when you access the same website, it may take a different path. Now we get into some detail. Any questions before we do so? So a couple of things I can see, some of your questions I can see inside your head. You're thinking, well, what path do I take? Why do I send via these ISPs? Why not another one? And some of the smartest people here are thinking, well, how do these devices know to send my data to this web server? So we need some addressing. We need to give our computers an address. And what type of address do we give our computers? An IP address. Everyone knows IP addresses? I know some, everyone who's taken my class knows IP addresses or at least have studied them. But what about some of the other students that haven't yet taken it? IP addresses, what's your IP of your MacBook? Can you find it? Find your IP address on your computer. I'll find mine. It doesn't come out so well. Find your IP address. I'm using my wireless LAN on my laptop and my interface gives me some information that says my iNet address or internet IP address is this number or set of numbers, 192.168.1.128. Yours most likely is not the same, but should have the same structure, these four decimal numbers separated by dots, this dotted decimal notation. Anyone who has one that is not starting with 192, does anyone have, yeah, what's your start with? 172. How are you connected via the Wi-Fi, TU Wi-Fi? Okay, so I'm connected by this VPN test wireless router. You've connected via some other wireless router, the Tamasat Wi-Fi network. And it turns out that those networks are operated separately so that they give you a different IP address or a different range of IP addresses. Everyone else found their IP address, okay? Terry, what's yours? 192.172 or something else? Everyone understands what these numbers mean. What does it mean, 192.168.1.128? To advance, you're correct, but what they mean is the wrong question. So my computer, yeah, okay, I think you've picked up it represents some network, this 192.168.1. Because there's people who haven't started IP addresses or may not have, the best way that you can think of them is an IP address identifies your computer or a computing device, but it represents two different things. It identifies a network that you're in and within that network it identifies your computer. So there's a portion of this address and we don't really care which part in this presentation, there's a portion of this address that says I'm in this SIT network. And the other portion of the address says I'm computer Steve's laptop in this network. If you're in the same network you'll have the same network portion but a different portion that identifies your computer. But that's, I think we can get away with that detail. It gets too complex if we try and explain that. What else about IP addresses? How long is it? It's 32 bits. These are not binary numbers, these are decimal numbers, but that's just for us humans to be able to read them. They're actually converted to binary. So 192 is converted to an 8-bit number. 1 is converted to an 8-bit number. 7 zeros for all of I. So in binary. So we get 4 8-bit numbers, it's a 32-bit address. Your computer uses a 32-bit address but us humans use this nice, convenient, shorter notation. This is not a talk about how IP addresses work. Let's make some assumptions about IP addresses. Let's assume every computer in the internet has a unique IP address. My computer has an IP address, this computer has an IP address, every computer in this room has an IP address and they're different. And let's make the maybe easier assumption that every computer in the world has a unique IP address. That is a different one. A globally unique identifier. Is it true? This assumption, every computer in the world has a different IP address. Unfortunately it's not true, but from the perspective of our thinking, we will treat it as being true. We'll come back to why it's not true maybe later. But if you don't know IP addresses, assume every computer has a different IP address. That means if I want to contact a particular computer, all I need to know is its IP address. And the network, we'll go back to our slides. Where are we? If my computer has an IP address and the web server has an IP address, then what these magic routers do, these circles here, is that I send some data destined to the server IP address and these routers will deliver it in the right direction towards the server until it reaches the server. So I think everyone has a unique IP address and the network delivers our data towards and to that destination IP address. But that hides some details which are quite important, but we're not going to yet. So an IP address, 32-bit number, but usually represented in these dotted decimal notation, these four decimal numbers. Here are just three examples and you see an example of your computer. Let's assume each computer, whether it's your laptop, mobile phone, web server, everyone has a globally unique address. Now, people know that's not true. There's this thing called NAT, network address translation and private addresses, which make that more complex. Let's ignore that. Let's ignore these details of network address translation. Ignore it for now. Turns out routers also have IP addresses, not so important for us. What's the IP address of the Facebook website? You remember? The IP address of the Facebook website. You need to send your data to the Facebook website. You need its IP address. We use this other thing, this other address, a domain name. So when you want to access Facebook, you don't type in the IP address of the Facebook website. You type in www.facebook.com, a domain name. There's some other system that maps that domain name back to an IP address, the domain name system, DNS. So for us humans again, we use domain names, but our computer actually converts that domain name into an IP address. So for this presentation, we're going to say every computer has a globally unique IP address, and when I want to contact a server, I know it's IP address. We'll see some examples of that as we go. Let's try and get started on our privacy options. More details. And again, the people who have taken my courses know this. Those that haven't, it may be confusing. So my computer has an IP address. What's its value? Let's say it's U. The value of my IP address is the letter U, just as a variable. And the IP address of the web server is S. If I want to send data to the web server, I create what we call a packet, a small piece of collection of data that I want to send. I include some information and I send that packet to the first router, which will then send it to the next one and it will send it along until it reaches the destination. That packet contains, and this is important, the piece of data that I send from my computer to the server contains my IP address and the server's IP address. So I send data from U to S. Inside that data, there's the value U and the value S. And that's important from a privacy perspective. What is that data? It's called an IP packet or an IP datagram. What's it look like? This? Well, it contains data and other things. The two other things that we care about, it contains the source IP address and the destination IP address. So every time you send something in the internet, you're sending what's called an IP packet using the internet protocol. And inside that IP packet are two things, or are many things, but two things of importance, a source IP address and a destination IP address. So when you send to the Facebook web server, that IP packet that goes through the internet contains your IP address and the IP address of the Facebook web server. And that's when we arise at the privacy issues. If the IP addresses are globally unique, then if someone else sees those IP addresses, then they can identify who you're communicating with. So this is a key part, is that the fact that every piece of data you send contains the source and destination address. What's this slide say? That's all we needed to say. The other thing down the bottom is how do we find a path between destination and we use routing, but not of importance for this course. Okay, before we look at web browsing, try and get started. If you've slept through, if you watched all the football last night and slept through the first half hour or so, then, and someone turned up in my office yesterday and was helping me set up, one of the people in this room, he was helping me set up and after about an hour he was falling asleep in my office while I was talking to him. I mean, people fall asleep in my lectures but not in my office and I think he's been awake or not, probably watching football or other things. So, if you slept through the first part, the thing that you need to know really is that all computers have a unique IP address and when we send data in the internet, that data contains the source IP address, the one that creates the data to send and the destination, the final destination. That's all you need to know so far. That's about the network. What about applications? Web browsing. Anyone cannot use a web browser? Okay. Everyone uses a web browser every day for many different applications. How does it work? Well, you use your web browser on your computer to access some website on a web server and there's a protocol that communicates between the web browser and web server called HTTP, the Hypertext Transfer Protocol. And it's quite simple, HTTP. Your web browser, you want to visit a web page, which means you want to download that web page and display it on your screen. So you send a request to the web server. I want to get index.html from your web server. The web server receives the request and sends back a response saying, here it is. Okay. Everyone understands HTTP. And I look over here because, again, there's people who haven't taken my courses. So it may be a bit non-obvious to them. Okay. HTTP. You know HTTP when you, in your address bar in your browser. Okay. Usually it shows HTTP, colon, slash, slash URL, the domain. HTTP is a protocol. It defines how to communicate between your web browser and the web server that you want to contact. And the basic way that it operates is your web browser, when you type in an address and press go, your browser creates a request. Requesting that particular web page that you're trying to visit sends the request to the web server. The server sends back that actual web page in the response. What's, oh, this is another view of how that works with a bit more detail. So your web browser on your computer, the web server somewhere in another country, and between that is the internet. All of these routers. You type in a URL, a .1. You type in a URL in the address bar. You press enter. What happens is your browser and your computer with the operating system creates this request, creates this packet. And it has the words get and the file that you want to download, like some HTML file. That is sent across the internet to the web server. Whenever the web server receives such a request, it does some processing, tries to find the file on its hard disk. And if it finds it, sends back this 200 okay message saying your request was okay. And then includes the contents of the file in the response. So some HTML. And if the file is not on the web server that you request, what comes back? 404 not found. You've seen that many times. So that is the case where you request a web page. The web server looks for it on the hard disk. It's not there. Therefore sends back a message HTTP 404 not found. And that's why your web browser displays that error message. But the normal case is that the web page actually comes back. We'll see an example of that in a moment. Let's get into the core of this presentation. I have my drink again. Make sure you finish all the and I can see Corinne licking his lips. He's hungry. I can see him. So he's one of my PhD students. I'll pass around to him some snacks and he'll pass them around if he wants to or he will keep them to himself. But for the other things, you have to get up and grab them. Okay. Now we'll get started. So we care about security in the Internet. Whoa. Again. Sorry for those that haven't taken my course. But some have taken my security courses and we talk about what do we mean by security and many different things. Internet security includes different things like what we say confidentiality, keeping things secret. I visit a website and I send my password to that web server to log in. I don't want anyone else to see my password. I want to keep the password secret. So we need some mechanism to provide confidentiality. Related to that authentication, logging in. How does it work? Making sure no one changes data. I send an email to someone. And one of what's the example? I send an email to someone, let's meet at 3am at this location. But someone malicious in between intercepts and modifies that. So I mean let's meet at 5am and therefore something goes wrong. So data integrity. But we want to focus on privacy. And what do we mean by privacy? I mean keeping actions secret. Not necessarily keeping your data secret, but it will be strongly related. But keeping what you do secret. And in the Internet, that usually means keeping which computers you access secret. So privacy of our communications, of our actions. What's the difference between confidentiality, secrecy and privacy? Well, sometimes they mean the same things. So people use different terminology. What I'm going to use in this presentation is say we talk about privacy of our actions. I don't want anyone to know that I visited the World Cup website last night or today because I was supposed to be working. I don't want anyone to know that I accessed a particular website. That's privacy of our actions. Secrecy or confidentiality of our data is I don't want anyone else to know the amount of money in my bank account which is seen when I visit my website of my bank. So privacy of your data is different than privacy of your actions, your behavior. How do we keep our data confidential? So we've got two things now. We want to keep our data confidential, keep it secret, but we'd also like to keep our actions confidential, keep them secret. First one, how do we generally in the Internet, how do we keep our data secret? By not going on the Internet, not much fun then. Encryption. Okay, even if you don't know how encryption works, what we do is I want to send a piece of data from my computer to someone else's and I don't want anyone else to see that data except the recipient. I want to keep it secret. Then what I do is I take that data and I transform it. I encrypt it using some encryption algorithm and some secret key and I send that and encryption works such that if someone sees the encrypted data, there is no way that they can find the original data unless they have some secret value which they shouldn't have. Only the destination should have it. So keeping data confidential is relatively easy in the Internet. Just encrypt it. Who uses encryption on the Internet? Who has used it and how? What technique or what software did you use to encrypt? To encrypt. True crypt, okay. On the Internet, true crypt mainly for your own disk, which is related, but generally accessing websites. Who uses encryption? Sorry? HTTPS. Okay, remember sometimes you visit a website. I'm going to break something today. And there's the HTTPS at the start of the domain name, the start of the URL as opposed to just HTTP. That S means secure or secret. It means that the communications between your browser and the website are encrypted. So everything sent from your browser when you're using HTTPS is first encrypted by your browser or your computer and then sent across the Internet and then decrypted at the web server. So keeping things, keeping your data confidential, we've got good techniques to do that. HTTPS is one example. Make sure that these air conditioners are on. They look to be. I don't want any other excuse for people to sleep. So in the Internet, keeping your data secret is usually quite easy, just encrypted. But what about keeping your actions secret, making sure no one knows which website you visited? That's a little bit harder. Well, that's what we'll focus on today. Why keep your data secret? Sorry, I'm sure you can think of reasons. Here are some. Why keep your actions secret or private? Why would you not want someone to know which website you're accessing? Here are some reasons and I'm sure you can think of many. I think there are many good reasons why we would want our data to be confidential and our actions to be private. There may be some bad reasons as well. We may want to do something which is illegal and we don't want others to know that we're doing it. Therefore, the techniques for keeping your actions private may help in that case. So assume we want to keep our actions private. How do we do it? Well, that's what we're going to go through. But first, well, what's my requirements? What do I need from a technique that keeps my actions private and my data confidential? I've tried to list some things that we would want as an end user. And we may not want them all at the same time, but some of them will see. Sometimes I don't want anyone but the web server to be able to read my data. I visit my bank website. My bank website sends me my account balance and all my transactions. I don't want anyone on the internet to know that information. It's okay if the bank knows it because they're my bank. They have to know it. Of course, my computer needs to know it, but everyone between my computer and the web server should not be able to read that information about my account balance and transaction. So that's one thing that we often require. Don't want anyone but the server to read my data. So that's data confidentiality. The other thing is privacy of actions. I don't want others to know I am communicating with a particular web server. I'm at work all day today, but I don't want to keep track of bad timing, but if I wanted to keep updates of the news or the World Cup scores or the betting on the World Cup, then I'd be visiting the websites all during work day. I don't want my boss to know that during my work day, I'm visiting the World Cup gambling sites. So I don't want others to know that I'm communicating with a particular web server. That's another requirement I may have. We may not want both of them at the same time. Sometimes we will, sometimes we won't. We'll come back to the difference between these two and maybe in a moment. Another thing, slightly different. I don't want the web server to be able to identify me. I visit Google to do a search for something. So on my browser, I go to www.google.com and type in a search query. I don't want Google to know that it's Stephen Gordon that's doing that search. So that's a different thing. That's privacy from the web server. And that's a little bit harder. Because you're contacting the web server, you want to make sure that the web server cannot identify you. So the first one is data secrecy. The next two are privacy. I'd say that this one is privacy from others in the internet. This one's privacy from the server. You don't want the server to be able to identify you. The other one, which isn't slightly different, but it turns out that the techniques we use for the first three also provide the fourth one. Sometimes I want to bypass blocks on a firewall. And on our picture we had going back, one of our first pictures, the question was what's FW? That's a firewall. What's it do? And in this example, my ISP runs a firewall. This special device. What it does is it blocks certain data that goes out of my computer onto the internet. An example, the firewall in SIT can be set up to block access to Facebook, which means that so you're inside the SIT network, you're here, the firewall for SIT. Your computer, you visit facebook.com. Your computer sends a request. It gets to the firewall. The firewall looks at that packet, sees this one is going to facebook.com. Do not send it any further. Drop or block that data. As a result, your request will never get to Facebook, and you'll never get the Facebook web page back. So the basics of a firewall is to control what data goes in and out of a particular network. In our case, we'll often see firewalls may be used to block access particular websites. We may want to bypass that. There's certain issues whether you should be bypassing firewalls, but let's look at the techniques anyway. So some things I may want from a security perspective. No one can see my data. No one can see I'm communicating with a particular server. The server cannot identify me. I can bypass firewalls. There are security requirements. The techniques to provide them, if I'm going to use software that does this for me, I'd prefer it to be free, cheap. I want it to be easy to set up. I don't want to have to spend two hours installing software on my computer to set it up. I have to redo that all the time. And I want it to perform well. With respect to web browsing, I want the performance when I access a website to be almost no different from when I'm not using this software. I visit a website and the web page loads in half a second. Then I use some software that provides privacy. And I visit this same website and it takes 10 seconds to load. It did not perform well. So we care about not just security but also convenience. So let's, and this is the main part for today, let's look at how many three different ways to provide privacy in the internet. So we'll look at three different common techniques which are available today. There are others, but we'll look at just three, that try to provide one or multiple of these security requirements. Some don't provide them all. And we'll compare them at the end with respect to the convenience. Which ones are free? Which ones, or how much they cost? How easy are they to use? And how well do they perform? And we will use them. Let me just set something up. Actually bring up my web browser if I can find it. Maybe on your computers, if anyone's connected to this wireless access point, anyone, VPN test? Anyone using it? Hands up. Try and associate with VPN test. It provides internet access. So the SSID is called VPN test. Associate with that and then visit maybe one of your favorite websites. And to keep it simple, try this one. That is, sorry if you cannot see that, the URL is ict.sittuacth slash tilde, this squiggly line, S Gordon, my website on ict. So associate with VPN test and then visit that website. Maybe follow a link if you like, not so important. A few people have done it, fine. So in this case it's your computer accessing some web server. The web server is actually at Bunker D. So in between your computer and the server is the internet and all these routers. You want to keep your communications private there. I operate this portion of the network. I run this router. So if I'm malicious, a bad person, maybe what I want to do is intercept your data and see which websites you're visiting and maybe what data you're sending. Let's see if I can do that. I actually, before what I dig and this may be hard to see, don't worry too much about this. But what I can do is I can log into this router and I tell the router to record everything that goes through it. So what you're doing when you're accessing websites, you send to this router. This router then sends across the cable out of SIT to Bunker D. I set this up so it records everything that goes through it. So let's see what I recorded. I capture everything that goes through it and I use some software to do that, but that's not so important. It's quite easy to do. How I did it doesn't matter at this stage. Let's hope it works. Okay, I have to zoom a little bit. This is Wireshark. Wireshark allows us to see data sent and received by a particular device. So what I did is I told this device record all the packets going through it. I saved them to a file and then I've just opened those packets in this program called Wireshark and it just lists all those packets and I'll just find some quickly that may be relevant to us. Here's one. Without looking at the details, I can recognize this orange one. At some time someone, someone with IP address 192.168.205.162, one of you, sent to the ICT web server. I know it's the ICT web server because I can remember the ICT website address. It's a bit more complex than that. This IP address. So the source IP address, the destination IP address, they sent a request for the URL, this slash 2 to sorder. So what someone did on their web browser is visited this website, pressed enter. That triggered their computer to send this packet and this device recorded that packet and that packet was sent to the website and the website sends back a response and I guess it's this packet. If you look at the addresses, they are reversed. So source destination and now in the response, the source is the server, the destination is your computer and it contains a 200 okay and if I zoom in and look at the contents of that data, I can see the actual web page, okay? So if you look through here, this is just the HTML at that web page that was shown on your browser. So this is a very simple example that any device between you and the web server can potentially record who is communicating, source and destination and what data they're communicating. In this case we see the actual web page. So if you accessed your web website of your bank using this access point and your bank for some reason didn't have encryption, then what you would see, what I would see here, would see the account balance and so on of your bank if it was sent back to you or if you logged into a particular website, you type in your username and password and again encryption was not used. If it wasn't using HTTPS, then I would see in here your username and password. Okay, so with normal HTTP basically everyone in between you and the destination can see everything you send and receive. So we have two issues there, our requirements of security. Let's go back, what do we say? We don't meet the first requirement in this case. So with normal web browsing anyone can see my data. So the first requirement is not met. Anyone can work out who I'm communicating with because if they see the source address they can identify my computer in the internet and if they see the destination address that they can identify the web server. So the second requirement is not met. What about the third one? Is this third requirement met in that case? Does the server know who contacted it? In that case you accessed ICT server. Who runs the ICT server? Me. Okay, so let's see what the ICT server saw when you accessed it. If I remember my password and since I run the ICT server I'm the admin there. I can see, this is a bit confusing, but I can see a log of everyone who accesses that website and this is hard to read because it's so small and so much detail but this is a log for the web server. It records everyone who contacts the web server and somewhere it records the IP address of who contacted that web server and the date and time and what website they, what URL they accessed. So the web server can identify who contacted it based upon the IP address here. Okay, so our third requirement of hiding from the server is definitely not met. The server knows who contacted it so that's common. Now, okay, let's, so how do we provide those security requirements? Get rid of that. This is the software I'm using to record on that router. It doesn't matter, it's called tcpdump. So I'm recording again, I'm saving everything I need to start at everything that this one's seeing. Anyone want to access a website? Anyone want to log in to their bank? Take a chance. Log in to a website. Maybe log in to Facebook. I'm recording. Who's willing to take a chance? That is, after you log into that website I'm going to look and see the packets you sent to that website and see if I can see your username and password. You hope so. What, what do you need? Yes, you said it's in, it's encrypted. Why is it encrypted? HTTPS. So there are some exceptions but basically if the website you're accessing is HTTPS then the data that your web browser sends to the web server is encrypted. It's encrypted by your browser and decrypted by the web server and my router that intercepts that data it will still intercept the packet and I will not look because someone may have logged in without HTTPS it will still intercept the packets but all it will see is random bits and bytes because it's encrypted and my router cannot decrypt it because the encryption is set up that only the source web browser and the destination web server can encrypt and decrypt. So you could log into a website if you're using HTTPS. If your login page doesn't use HTTPS again I would see your username and password okay. So maybe that's one thing if you're not already wary when you log into websites try and make sure that that page that specific login page is using HTTPS not HTTP. Many websites provide that but not all. I will not look at this capture I will not save it for later I will delete it now and I'll delete the other one so where do we get to we'll come back to them if we're using web browsing normal web browsing using HTTP ignoring a firewall if you access a website with respect to those security requirements what does it provide it provides nothing that is others can see the server you're communicating with they can see your IP address they can see the server's IP address others can read the data the server can identify you and including in the others the firewall can see who you're communicating with and identify you so using basic HTTP does not provide any privacy if you use HTTPS it's a little bit better so if you're using HTTPS the data that you send from your computer to the server that data packet contains your IP address the server's IP address but the data itself is encrypted meaning others can still see who you're communicating with if I captured your packets I'd still see that you're accessing Facebook but I would not be able to read the data okay so that's our data secrecy requirement met the server still knows it's me others still know I'm contacting Facebook but others cannot see the data if we use HTTPS there are a few things I skipped over but that's the main point with basic web browsing so what we want to look at is how do we stop that how do we get all of these things green green means the requirements are met red means not good any questions before we move on to the the the new stuff no sure everything's clear yeah okay yep okay yeah okay when you open your browser and you visit a website using HTTPS let's see if we can find an example all right my browser doesn't show HTTPS here but when we do HTTPS and want to visit using the secure version of the communications what happens well your browser the different browsers do it differently but usually it shows some some padlock or some message here and sometimes it presents a warning all right a different graphic or it pops up something the website you're trying to visit do you really trust it so sometimes you get a warning here in this case I didn't um there are two main reasons for that one common one you'll see today is that a website usually usually contains content from many different locations not this one there are no images but the images may be from you visit facebook but that one page the images maybe from twitter or from some other site so the website actually has content from many locations so one warning you'll often see is that the web page itself the communications were encrypted it was secure but to download the images maybe encryption was not used your browser may present a warning saying part of the website is encrypted but some parts are not be careful that's what it means another one and this is a bit much detail but can we what happens when you go to reg.sit and try and log in I know you've probably done it in the past maybe I will not do it because I've already accepted it but maybe go there you don't have to use vpn test anymore if you don't trust me use wsit and now you have to trust the s it computer center okay so go yeah I think the first time you visit registration website and try and log in it presents an error or a warning and maybe that's related to what you're seeing as well we're not covering htps but it uses some techniques that it requires a certificate and it requires usually the website owner to pay for some certificate to set it up and update things and if you try and log into registration website the first time ever you visit that your browser will usually present a warning I've visited it before so it won't present a warning now but the first time it will say do you really trust this website that may be and in that case it is possible for someone in the middle my router in that case to decrypt your traffic so if you see such a warning usually we accept it but be aware it may mean that there's someone in the middle reading your data unfortunately sometimes we have to accept it otherwise we can't access the website so your browser often presents warnings here if something's not quite right maybe that's another topic what if our firewall was on has anyone been blocked by a firewall before SIT has a firewall okay here you are inside here's outside there's a firewall which blocks certain traffic it blocks certain packets now SIT's firewall is quite open it doesn't block much it actually blocks based upon port numbers but not so many websites but I think the different companies different organizations companies internet service providers will set up their own firewall and they will block particular websites I don't know if I can think of it an example but I saw one actually the other day I'm sure you can but I one that I can display to everyone there's one try again Daily Mail is a is a newspaper in the UK it's a newspaper which has some articles on different things such means it's blocked okay it's just a newspaper in the UK so how did that work well the different ways firewalls can be quite complex but from our perspective a simple way that a firewall can block things in this case it's is blocked the internal computer from access accessing the external website and in this case the external is outside of the Thailand or the ISPs network how does it work or how could it work go back I type in on my computer type in the destination address dailymail.co.uk which actually corresponds to the server IP address so here's the the website the destination address in the packet identifies the web server that packet goes to the firewall the firewall checks the destination so a simple way to implement this is that firewall has a set of rules that say block anything where the destination equals s so when my packet gets to the firewall the firewall checks the destination address inside my packet it compares against the list configured in the firewall if they match it doesn't send it out to the web server if it doesn't match then it goes out that's the simplest version of a firewalls to do it based upon destination address question okay so there are many more details of firewalls but that's a common way if the destination address matches some value don't let it out in this case don't let it out and redirect it to some nice other website okay so of course if the firewall is enabled and you want to access that website you cannot not using basic HTTP or without some workarounds so if we use HTTPS our data is secret but our actions still are not will HTTPS bypass the firewall generally not the firewall is generally set up so it will block based upon the destination address if using HTTPS even though the data is encrypted the destination address is not okay so the firewall still knows i'm trying to access daily mail it doesn't know the data i'm sending but it knows the destination address so it can still block in that case all right first privacy technique web proxies and we're going to go through three maybe common or generally talked about technique some better than others web proxy has anyone used one before has anyone seen one we'll try some in a moment very easy basically a website you go to this web proxy this website and in there it allows you to type in a destination address and that proxy will send the request to the destination on your behalf that's what a proxy does it communicates to the server on behalf of you let's go direct to some examples this other presentation i haven't made available to you where all i put it try a try a web proxy that is open your browser and try one of these three websites visit one of them doesn't matter there are many or if you want other ones this one lists a set the vpn book is one that will use as examples but there are others so just visit one of them and you'll see the interface very simple and then try and visit another website via that proxy and see what happens if you visit vpnbook.com which is a web proxy i think there's a link to a proxy there and we'll try what happens up the top it says free web proxy i need to allow my scripts i should have done that before we'll use this website for other things later and it presents and maybe it shows better on your screen it presents a text box to allow you to type in the destination website so you type in your url that you want to visit here press go and then it will send the request to that website on your behalf send back the web page and you'll see the web page okay quite easy to use so will you try i haven't tested this so okay so i got to a website which was previously blocked by a firewall but the web request is via this proxy so the proxy sends a request to the real website the real website sends back the web page to the proxy and then the proxy sends it back to my browser and my browser displays that but if you note in the address bar it's still vpnbook.com so don't be fooled to think you've got direct access and there are many such web proxies what what requirements do they meet with respect to our security security requirements free okay let's go back to the requirements so that web proxy was free that is i just went to the website i typed in the url and it sent the web page back so right with respect to convenience it was cheap the cheapest was we can get some will provide ads all right they're free that is there's no upfront cost but what they'll do is you you visit a website the proxy will insert some ads onto the web page and of course they make money from from displaying and people clicking on those ads so free but sometimes well someone who runs the proxy how do they make money how do they pay for it they're very nice and they just give it away for free many of them would be ad supported that is they insert ads into the web page that you are visiting and get money from that some may have some upfront cost some premium service you pay two dollars a month and you don't get ads for example what about our security requirements which ones doesn't meet the web proxy four requirements really maybe start from the bottom did it buy bypass the firewall yes we saw using a proxy it's one way to bypass a block on a firewall what else i don't want anyone but the server to read my data well no nothing was encrypted there not necessarily and we'll look at the details so still people in the internet could intercept our data and see the contents of it meaning just because you use a proxy it doesn't mean your data is kept confidential i don't want others to know i'm communicating with the server no one yes no technically correct no others still can see i'm communicating with the server but the others may be limited in this case and we'll see a picture to explain that i don't want the server to be able to identify me what about that i would say yes in some cases the server i send a request to the proxy the proxy then sends that request on my behalf to the server what the server receives is a message from the proxy it doesn't receive it from me therefore if you looked at the server log the server would just see the address of the web proxy as being the source so from that perspective from the perspective of ip addresses the server doesn't know it is my computer accessing it it thinks it's the proxy computer accessing it so from the perspective of ip addresses we do achieve this requirement there may be cases when we don't but in the simplest case the server can't identify me because all it can identify as the proxy let's look at those details using a web proxy that's too much detail let's go to this one here's you here's the website you want to access what happens with a proxy so there's this proxy server this blue one p so in this case vpnbook.com is is this proxy server there's a firewall that's blocking me from accessing destination s so what i do is i visit the proxy website and what my picture tries to show these blues rectangles are the packets being sent and i show the source and the destination the source address and destination address so i'm sending a request to the proxy in the first instance so the source is me or you the destination is p but inside this request i actually include the address of the real server i want to contact so inside the data component there's s the address of dailymail.co.uk i send that out it goes to my isp but my isp has a firewall the firewall is configured to block anything going to s it looks at this packet and most firewalls are quite simple they just look at the destination address it looks destination p that's okay let it through and that's what we saw in our case the firewall normally does not look inside the data it just looks destination ip doesn't match s no okay fine if it matches s block it it's much faster to do it that way than to look at the contents therefore we bypass the firewall by using this proxy so this data packet goes out through the firewall it goes to the proxy the destination p what the proxy does is it reads the data it notices that i need to send actually to s so it now recreates a web request source p destination s sends that to the server the server receives the request for a web page sends back the web page to where where's the server sent to yeah the server thinks it got a request from the proxy therefore the reply will go to the proxy so the server would send the web page back to the proxy the proxy then takes it and sends it back to you and that would be bypassing the firewall so normally the firewall will not easily see who you're communicating with in theory it can but in practice it's not very common for the firewall to detect based upon anything other than the IP addresses so we bypass the firewall others cannot see the server you're communicating with and by others here i mean other other than the proxy okay now the proxy is a special case the proxy can see who you're communicating with the proxy knows you send a request to this website it knows your address you it knows the destination address s so the proxy knows who you're communicating with but this one here here and here they don't know you're contacting the website they think it's the proxy so we provide that level of privacy that others in the internet do not know your actions nothing's encrypted everyone can see your data so if you want how do we protect our data if we want others not be able to read your data what can we do htbs yep okay so what could this file your question more generally is i won't talk about governments but what could this firewall do to block out access to this website now here the firewall is very i was a stupid all it does is say if the destination ip matters this don't let it through it could be a little bit smarter what the firewall could do is not just check the destination address but check the content because the content of this packet actually includes the address of s it must be so the proxy knows where to send it so s is included in the content if the firewall looked at the details of that packet in theory it could determine this packet is going to the proxy some address p doesn't even have to know it's a proxy but it's going to some address p but it's got a url of s let's assume that's not going to be allowed and block it so it can if it inspects the details of that packet be smarter and try and block it the reason that doesn't happen often is because it takes a lot of effort of the the cpu of the the firewall to do that processing and imagine a country-wide isp that has to block everyone's traffic every packet that goes out this firewall must check the details checking just the destination address is very very fast you can get hardware that does that fast but checking whether it's a web request an email checking that reading all the contents is very very slow so most firewalls by default would not do that okay so if the government or someone wants to block then they could inspect the content or like you said they could just block access to p so in this block list block destination equals s and destination equals p now we cannot send out to the proxy how do you get around that if you go to this list of proxies you'll see hundreds of proxies there so what does the government do or the the firewall do it blocks all of them but then a new one is created so keeping up to date of that block list is very very hard and it may in fact block other things difficult let's have a break for five or ten minutes and then we'll look at the next technique of using VPNs okay and in the break you can help yourself to some snacks and you may want to just try some of those proxies if you haven't already and i'll show some software that you may want to download and install and we can maybe come around and help if for the next part of vpn software where what's the website if you go in to this it's ictill to escort and slash vpn test and find your operating system and and downloads the software from there and install it i think it differs depending upon the operating system but for windows the software that you you may use or we'll demonstrate and it depends on whether you're using 32 or 64 bit but open vpn try and install that party or putty that's an easy one to install you don't need win scp wire shark you don't need but open vpn party and tor browser we'll try and demonstrate them so maybe try them and we'll then continue with the other approaches