 Hello, welcome to EMF stage C Next talk is Alec Muffet on why and how to use onion networking Okay Pardon me while I do a quick microphone calibration test. This is the voice of doom, right? Okay, hello, my name is Alec and I am old So I would like to share a couple of perspectives from back Before the internet became the World Wide Web because I think they might be useful to the Builder and maker community. I think they might be useful to Folk who are trying to innovate in the application space And so there's two Things that I would like to share with you Which I think were key to the success and development of the early internet Firstly in the beginning all of the internet's communications were end-to-end And to end is a bit like peer-to-peer except that there are only two of you So it's a bit like a rope, which is you know, if you've got a net and it's only got two ends It's actually a rope. So if you had a Internet mesh, this is a map of the internet from 1977 So it's a little earlier than the target dates that I'm kind of describing talking about but it serves for illustrative purposes And you had Alice in Stanford and she was on a PDP 11 on the left-hand side and you had Bob At NYU on the right-hand side who's also on a PDP 11 And if they wanted to communicate the software that they would be using to communicate would be talking directly between the two of them a Root would be forged between Alice and Bob and the bits and bytes would go back and forth directly between them There would be no firewalls which were blocking the communication or making it hard for Alice and Bob to do this There would be no intermediaries on which Alice and Bob would have to rendezvous in order to communicate Instead they would be talking directly between each other. There would be no men in the middle There would be no impediment to their direct communication and it would actually work It was quite fantabulous to be able to do this Let's not though put dwell on the internet security in that era Frankly, we didn't do it too well back then it was kind of rough, but it was a safer sweet or more innocent age Secondly one of the more important aspects of making a successful tool In this era the command line names tended to be a bit embarrassing something like for instance finger Especially if you use it with the standard Unix systems administrator, this would be very rude to say in Australia I am told The finger program was the user information search database Program you could see who was logged in or you could inquire whether a user on a system was currently logged in and you Could also get a little bit of extra information about them think your protocol incidentally ran on port number 79 TCP port number 79 and if you add one to port 79 you get port 80. This is not really a coincidence there's a reason for this because on the finger command if you Created a little bit of information if you created a file called dot plan in your home directory and another file called Dot project when someone fingered you there's that word again You would have this information pop up on the remote display the person would get this Information that you had created yourself it becomes content which you share over a network and it's a personal expression opportunity it's a way to communicate what you are working on and This led to a sort of proto blogging as we would now understand it anytime after the mid 1990s But 10 15 years earlier You could put quite a lot of information into a plan file Little example here on a 4.3 BSD emulator I ran up just so I could get these screenshots and you know their actual legit things But if you go back in history John Carmack the guy who wrote doom Had an enormous plan file which was essentially his daily blog of what bugs he had found and what bugs he had fixed and What challenges he was facing and new features and so forth and you accessed his blog via this finger command You could even do prototypical what we now have as flash animations like this thing It turns out that if you are connecting to the internet over a 9600 board serial modem you have a fixed bit rate And so by sending printable ASCII characters and carriage returns and line feeds You actually can work out right speeds to get animations like this I'll leave this running for a second. This is just plain ASCII in a bunch of carriage return and line feeds and other stuff like that And if you want to see how that finishes There's a link to the video in the pinned tweet on my Twitter page It's the reply to the current pin the top pin tweet You can also find out more information about plan files and some of the stuff about them in the hackers dictionary And if you go digging for this kind of information this kind of content So I want to make the glib assertion on which this entire talk is based that end-to-end communication Aids innovation in distributed computing it aids and eases information sharing if you do it, right? And it helped make the internet that we know today So the talk though is why and how to use onion networking Normally, I would be talking to an audience of people who were privacy activists about onion networking And I would say something like if you have a community or an audience who face censorship if Access to real news a real content is hampered if there is a risk of fake government websites or fake non-government websites Lying about the state of the universe or if there are political repercussions or social repercussions for accessing websites about gender and sexuality and so forth or if you need additional privacy assurance and trust You might want to use onion networking But I want to look at it the other aspect for today Which is if you are building a disintermediated or distributed again an e2e tool Something like onion share, which is a distributed file sharing tool going from point to point over an onion network Which is just temporarily you are connected to for as long as necessary to transfer the file or briar app Which is I would say a social space and a Kind of blogging stroke bulletin board tool based around this same sorts of distributed technologies that use net used to be based on but Layered over Tor and several other transport technologies as well Or if you are an IOT home automation fan and you are worried about someone spying on your home webcam because occasionally you walk around nude Or something like that Tor and onion networking is great tool to assure the privacy and integrity of your own Communications point to point and be certain that it isn't going through or temporarily cashed on the file servers as a Facebook or Google or Twitter or whomever or even just some sort of AWS cloud thing, which eventually gets popped by a bunch of hacker weenies What is the adoption of onion networking? Am I talking about some tiny little annoying tool which nobody's ever going to use no Facebook has an onion site The New York Times has an onion site Buzzfeed news and ProPublica both have onion sites now Cloudflare have recently added DNS resolution over HTTP over onion and a new feature announced last week Which is opportunistic onions where any cloudflare customer can add onion networking to their website using the alt SVC HTTP header So you can use onions for turbo charging your website's experience for people who connect to it over Tor It's not the dark web anymore. Although it is what used to be called the dark web It is the technology for giving additional Transport layer security to HTTP What is the social value of onions if you're going to deploy it? Well, the reason that Facebook deployed it was that it gave greater assurance if you're connecting over Tor that you weren't being man in the middle by one of the Tor exit nodes one of the exit relays instead You are connecting definitely directly into Facebook. It gave you greater privacy greater availability over Tor because Exit nodes tend to be a bit congested and a bit flaky and you have fewer digital footprints as well You are making a pure end-to-end connection over Tor The tech value of onion networking comes in the second half of the presentation Just to fill in a few gaps here because frequently people ask these questions afterwards. Are there clients for other platforms? Yes Mac Windows Linux all use Tor browser or you can just run up the Tor software and connect through it Android likewise iOS likewise In terms of I don't have a slide for the next bit of statement, but in terms of complexity I Will put it about on par with tunneling traffic over SSH if you've ever used an SSH connection to go from your local machine to remote machine and You know drill the hole backwards or forwards so that you connect to port 80 over it It's about that level of effort you're meddling with a few configuration files And you have to have a little process running, but otherwise the data just happily merrily goes backwards and forwards under your control For this is a static photo of me playing a video of the Times website on my Android phone Just to prove that it can be done. I would have more than one video in this presentation, but it just seemed unnecessary This is my tour development environment to prove that the resource requirements are not onerous that little raspberry pi bottom left Is the cluster controller for six other raspberry pies in a web farm? This is the environment on which the New York Times is onion software was all developed and it is freely available And I'll talk about that maybe a little bit later So I've mentioned the word onion and onion networking quite a bit. What is it? Dot onion is the top level domain name for the onion namespace and when I say namespace What do I mean a namespace is an address and what it means or what it looks like? So you've got IPv4 namespace, which is 192.168.1.1 Strings of digits with dots in the middle You've got IPv6, which is hexadecimal with lots of random colons arbitrarily spaced in it DNS addresses are all www.food.com nowadays and onion addresses looks like some random gibberish with dot onion on the end of it How do they work? Well, you type them into a browser and you connect to a computer. That's pretty much it There's a slight tweak with IPv6 that you have to add square brackets because of some syntactic issues Which Tim Berners-Lee forgot to think about however there's a cute twist Because dot onion is unusual under the bonnet. It's actually a raw network address. It looks like www.food.com www.something.onion. However, it's actually a string of binary digits that means something to a network stack It also means because of this neat Duplicate and that's not really a duplication Because of this quirk you can use subdomains This wouldn't make sense for IPv4 like you could not have www.192.168.1.1 That would not mean anything sensible to any web browser again because of a goof that Tim Berners-Lee didn't think about However, www.facebook.com.onion is meaningful to HTTP It still connects you to that binary onion address But the www bit gets transported in the host header because it looks sufficiently DNS-ish and Everyone's happy The addresses are treated equitably and so you get standard www web sort of behavior even with an onion address How do you choose onion addresses? Essentially you mind them. It's a little bit like Bitcoin You just throw random coin tosses using a special bit of software until you get one which when written down on a piece of paper Would look intelligible ish to a human being How does it work again to my metaphor of SSH? Tunneling you have a config file and you say on port 22 I want anybody who connects to be redirected to my local host port 22 Or to some other IP address port 22 or port 443 or whatever it might be and then Again at the local end if you want to connect to that you do some magic in your SSH config file or whatever it might be If you're doing web over onion, how do you serve? Content one you set up a dedicated web server. You could just sort of hard code a Tour demon to talk to local host port 443 and run an Apache demon on your local machine and everything would be fine perhaps you would have if you want to have The same content as your blog or something which is connected the internet Perhaps you might mirror the content that you've got on your blog or alternatively you could have an onion aware CMS like Many CMS's understand that I am simultaneously food comm food co.uk food co.jp and food fr and Return content that pertinent for each of those top-level domains with the onion You would just add an extra one into the mix and treat and respond to it in a consistent fashion Or whoops back or you implement an onion shim Which is a piece of software which dynamically rewrites The traffic between your onion domain and address to your comm address and so HTTP request outbound get rewritten in terms of the onion addresses That are inbound and the ones that are responses coming inbound or we've been outbound to have come from the onion addresses This all makes more sense a bit later. So You could like Concrete examples here the dedicated onion services are for instance secure drop which is a whistle-blowing tool which it's Beneficial to have it have some degree of anonymity and some degree of extra privacy Facebook uses the onion aware CMS hack where facebook.com and the equivalent onion address are both understood by the stack and both Responded to in consistent manners and the New York Times has a shim which rewrites all of the content for their nytimes.com site to be in terms of onion addresses so that you can Browse the NY Times site using an onion address, which is under their control Implementation tips it's nice to be consistent. This slide is probably a little too verbose for this comment for this particular presentation If you're doing HTTP, there are some special certificates You will need this is getting easier to get a hold of but again It's entirely solvable. This is how all of these sites which I've listed beforehand have set up their onion addresses So that their browsers understand how they work the technology behind this well I Suppose this is where we kind of deep dive into onion networking a touch and networking in general and I apologize I'm going to use some words which comes straight out of 1985 Firstly if you hack around with ethernet and IP you will know about ARP and MAC addresses and things like that and So you've got your your MAC addresses your physical hardware address and the IP packets get sent to it if they are intended for you well Onion addresses it works like this and the reason I've got these two slides is that I can go back and forth and back and forth and back and forth and just try and underline the point that this is essentially the same idea that actually TCP IP is the data link layer of onion space You can actually do the seven layer model in terms of TCP being pushed down to being the LLC layer for onions and Onion spaces end-to-end. It's a very flat network which doesn't know about or care about firewalls So you can communicate between Alice and Bob once more with no intermediaries. No rendezvous points. No anything you are disintermediated You also beneficially don't need firewalls so much firewalls come from an age when Ports on computers processes on computers listened promiscuously to the network interface and would accept any traffic that was inbound With onion networking you essentially Publish what services you would like people to connect to this is closer to the x25 paradigms of many many years ago So you could say I want port 44422 To be my inbound SSH port and you literally put that out on the internet in the tour cloud And people will be able to connect to it But they don't get access to anything else that's running on your machine Whatever the port numbers might be whatever processes might be listening you only put Out in a consent-based way effectively what you are permitting people to connect to This is a lot closer to where we were Back in 1985 when it was possible to finger someone across the breadth of the entire internet Onion spaces circuit switched this is mostly put up here to explain why it still runs fast because the internet as we know it mostly is Packet switched everybody hopefully has come across packet switching your data is broken down into little sort of postcards Which get flung across the internet bit by bit? Inside tour what happens instead a pipe a series of tubes are built between Alice and Bob and the bits go back and forth across this Dedicated tube which means there's less overhead and more speed Sounds great. I have to say the downside is of course This is all on top of TCP and it has a lot of cryptography on top of it So it's a lot slower, but it's also not as slow as it could be net result is it works perfectly fine for streaming video It's it's adequate. You'll notice that there's a little loss in performance, but it does work pretty good Next is rendezvous not client server We are so used to dreadfully so used to the client server paradigm the centralization of all network services the We must use Google.com must use Facebook.com must use something or another Must use whatever the DNS points is that as the IP address to connect to to send mail to this person instead Your server and your client both can sit in little enclaves behind Nat firewalls where no one from the outside can talk to them where they can sit in their own little protected shell and they publish out to what's called the DHT to the hidden service directory as it's called they publish out what Port numbers and addresses and so on there wish to be contacted on and the clients can connect to them there by a Process of negotiation and rendezvous on the pink blob. They're these slides are all up also on Slide share so if you want any of them they can be got later also from the pinned post on my Twitter feed The point being here is that your servers can sit in these protected safe of the long claves proof from safe from DDoS attacks and hackers and all sorts of other stuff and the only services you expose are the services you choose to expose and That can be connected to rendezvous Sounds complicated. It sounds like it's not client server. It sounds different But tour goes to extensive great lengths to hide the fact that it's not client server You still wind up connecting to Facebook cord up the Dubai onion But it's nonetheless is goes to rendezvous process in order to get there. In fact, it's a little bit like Where Alice and Bob where normally they might sort of send messages to each other on Facebook They sort of said we're going to meet on Facebook. Hello Alice. Hello Bob So the messages use Facebook as a rendezvous point with onion networking The connection setup is done via rendezvous But all further communication is just directly between Alice and Bob So it's shifted the load of the rendezvous from giving Facebook control and a copy of all of the conversation Instead to just the initial call setup you might say and everything else goes directly between the two of them Introduction points have all of these qualities redundancy transients and they have global migration They hop around and they're replicated and all sorts of cool stuff like this Which means that they are highly DDoS resistant They have a built-in global server load balancing capability and essentially operate on a DNS round Robin principle Which is how Facebook and the New York Times do their load balancing between multiple servers Also, they have self-authentication which is if whoops If you can connect if you can actually type the address in and you manage to connect to the thing that Is the address you typed in you're definitely talking to the thing you intended to there's no opportunity for DNS hijacking for fake addresses and so forth the features which would be Provided by IP sec like authentication headers and encapsulating security payloads are all done by Tor for free And finally internet separation which is actually Tor doesn't really care about the internet It's an over-the-top meta network Which means that if some country is Rooting traffic around in order to try and disrupt the internet Tor will root around it and not really care You will still definitely be talking to the I make that seven minutes, but You will still definitely be talking to the Site that you intended to so if you remember one thing from this talk, please Tor treats censorship as damage and roots around it It is quite literally the raison d'etre of Tor to treat censorship as damage and route around it That's why it's designed. This is what we were supposed to be doing with the internet This is what John Gilmore said the internet treats since this is damage. We got lazy We actually have focused too much on doing things cheap and doing things fast and putting things in the hands of big Corporations who are selling off big fat chunks of fiber and maybe we missed some things We missed some of the older essences that made the internet originally a useful tool a great tool for building and deploying software on I Think it's something we should reclaim and I think onion networking is a good way to do it There are a few downsides. It's a little bit slower They're occasionally our circuit drops and so forth But may occasionally that happens to if your firewall crashes you lose all the connections that you had through it Secondly, you will be learning new stuff if you embrace Tor, but that's not really a great problem either It's not an internal network. So you're not doing sockets and stuff like that instead. You'd be talking socks 5 Most people have got applications which can talk to socks 5 proxy or relay or something like that You're not doing it if config instead. You're meddling with configuration files in a slightly fiddly config syntax format Again, it's not worse than doing tunneling over SSH and Tor is an evolving target But it's just getting better getting better all the time and It has an awful lot of promise. I think it would be a really good thing for folk to be building tools on I did an example Middle of last year. I decided I was going to build an onion site for Wikipedia. The entire configuration file is that Using the tool called EOTK, which is something I worked on and for the NY times and released And you create a config file that looks a bit like this and run some magic stuff to a couple of commands Just to build stuff and configure things and so forth and 10 minutes later You actually have got an onion site for Wikipedia so much so that it got covered in vice and God knows what other Magazines why do something like this? It was mostly a short-term example to prove the concept But it was useful because some folk decided hey, let's go troll this guy and DDoS it and did other shit to it Turns out Tor is pretty good at stopping people DDoSing things and it's you know, it's a fairly high barrier to entry for people who want to Make your life problematic anyway, because that's what Tor is all about But also with a little bit of load balancing and a few rejection rules So you can get rid all of the clearly spammy requests a few hundreds or a few thousands of requests per second Didn't actually make the CPU spike on a quad core Intel in some data center somewhere You know, it was barely noticeable. It was just filling the log files at speed. That's a fixable problem so Why onion stuff? Because you can build apps and tools and devices which don't need to fret about Nat Which don't need holes drilled in firewalls where you don't need to pay for some central server or from AWS server However, microscopic the price might be you don't have to worry about your nude Wanderings around whilst you've gotten out of the shower being stuck on an AWS server in some mess 3 bucket and then raided by Russians or Koreans or Americans and post it all over the internet at some later date The data will go where you choose it to go It provides additional access and security and safety opportunities Assurateness for your communications and it's fun So oh and she actually oops Yes, I can't go back one One little and finally thing you can even go so far as to password protect your network interfaces So if you really are walking around naked or anything like that you want a guaranteed link between Client in a server do a little bit of tour configuration magic and the network address will not even appear unless You know a special password in order to access it Which is something you could never do with any kind of TCP stack or Ethernet stack that I'm aware of So My name is Alec. I hope you've enjoyed this the slides and the videos are up on my Twitter feed Please go ahead and write some e2e tools and give them embarrassing names. Thank you Apparently I will answer questions in the bar or someone else afterwards If I'd like to thank you, Alec Moffitt There's we still need volunteers, so if you'd like to sign up, there's a volunteers link at the top of the main emf camp website Thank you