Internet andPersonal Privacy

Utku Sen

Outline

- Web Browsing

- VPN and Privacy

- TOR and Privacy

- Instant Messaging

- Operating Systems and Privacy

Threat Actors

- Local Government

- External Government (NSA, GCHQ etc.)

- Hackers

Principles of Personal Privacy

1)Hide in plain sight

2)Protect deniability

3)Follow expert advices if you are not an expert

Web Browsing

HTTP Communication

User

ISPhurriyet.com.tr

Hurriyet.com.tr güncel haberleri göster

O ünlü o konu hakkında ne dedi? Çok şaşıracaksınız

What ISP Can See

- DNS Request (website’s domain name)

- TCP Communication (website’s IP address)

- Whole content

HTTPS Communication

User

ISPtwitter.com

Mjasd02*i9?samadn2?20217/&123jasmı

Kas02*12&&27371nWD(7230?(231n//2ja

What ISP Can See

- DNS Request (website’s domain name)

- TCP Communication (website’s IP address)

- Encrypted Content (doesn’t make any sense)

What About VPN?

HTTP Communication over VPN

User

ISP hurriyet.com.trVPN Server

)82*9and

=*as928a )82*9and

=*as928a

Yarın 15:00’de buluşuyoruz

Ok kib

What ISP Can See

- DNS Request (website’s domain name)

- TCP Communication (vpn server’s IP address)

- Encrypted Content (doesn’t make any sense)

DNS Leak

User

ISP illegal.comVPN Server

)82*9and

=*as928a )82*9and

=*as928a

Yarın 15:00’de buluşuyoruz

Ok kib

ISP’s DNS Server

External DNS Server

Solution

User

ISP illegal.comVPN Server

)82*9and

=*as928a )82*9and

=*as928a

Yarın 15:00’de buluşuyoruz

Ok kib

ISP’s DNS Server

External DNS Server

Solution

What ISP Can See

- TCP Communication (VPN Server’s IP address)

- Encrypted Content (doesn’t make any sense)

Are We 100% Private?

No

Example Scenario

- You insulted somebody in hurriyet.com.tr’s comment section anonymously.

- That somebody wants to sue you.

Example Scenario

- Hurriyet’s IT guy finds IP address of that anonymous person

- That IP address belongs to Acme VPN Company

- Court sends request to Acme VPN

- Acme VPN says “We don’t keep logs and we don’t care your request, lol bye”

Case Closed?

No

Example Scenario

- Court asks ISP “Who were connected to Acme VPN’s IP address in 12 December 2016 at 15:21?”

- ISP checks and gives list of subscribers

Best Case

- Ahmet Yılmaz / Zonguldak

- Muhittin Topalak / Kazlıçeşme

- Someone @Starbucks / İzmir Alsancak

- Ayşe Türk / İstanbul

- Someone @Bilgi Üniversitesi / İstanbul

Lots of people and location

Worst Case

- Only you :(

Average Case

- You

- 2 more people

Average Case

- They don’t know which one of you is guilty

- Even they know somehow, they don’t have enough proof to blame you on court.

- They need confess.

- They will force you to confess.

Privacy Checklist With VPN

- Use a VPN which protects you from DNS leaks.

- Use a VPN provider which doesn’t keep logs and protects privacy with laws.

- Don’t use unpopular VPN providers.

- Use a VPN which supports double-hop

- Don’t build your own VPN server (don’t be the only person who connects that server at specific time)

- If you really need to build your own VPN server, make it double hop

Paranoid Mode: ON

- Don’t connect internet from home, use public wifi hotspots.

- Stay away from cameras. Wear cap, sunglasses

- Don’t bring your mobile phone with you

Choosing VPN Provider

- Company popularity, number of servers.

- Jurisdiction

- Logging

- Payment methods

- Features (double hop etc.)

- Do not trust reviews on TorrentFreak!

https://thatoneprivacysite.net/vpn-comparison-chart/

What About TOR?

TOR (The Onion Router)

- Developed in the mid-1990s at the U.S. Naval Research Laboratory to protect U.S. intelligence communications

- After the Naval Research Laboratory released the code for Tor under a free license Dingledine, Mathewson and five others founded The Tor Project as a non-profit organization in 2006

How TOR Works?

HTTP = Pen((Pmid(Pex(m))))→ Pmid(Pex(m)) → Pex(m) → m

HTTPS = Pser((Pex(Pmid(Pen(m)))))→ ..

TOR

- Anyone can setup a tor node.

- Node lists are publicly available.

- Any organisation can block Entry nodes in order to block TOR access.

- Any organisation can block Exit nodes in order to protect their assets from TOR users.

Tor Bridges

Tor Bridges

- When using TOR suspicious or illegal

- When ISP banned all Entry nodes

- There is no publicly available Bridge list

- Still can be blocked but much more harder

Tor Bridges

Pluggable Transports

- StegoTorus Splits Tor streams across multiple connections to avoid packet size signatures, and embed the traffic flows in traces that look like html, javascript, or pdf.

- SkypeMorph transforms Tor traffic flows so they look like Skype Video

- Meek, ScrambleSuit etc.

Are We Safe Now?

No

Correlation Attacks

- FBI, NSA etc. has lots of Exit nodes

- A ISP subscriber transferred 150kb data to unknown IP address at October 3 15.41:23

- An government-controlled exit node received exactly 150kb data at October 3 15.41:26

- Government knows that this data is sent by that ISP subscriber :(

Other Methods

- Same with VPN users. (Ex: Harvard Bomb Hoax)

- +Firefox exploits

- +Personal information leakage

- +Useful information from FBI controlled TOR nodes

Mixing TOR with VPNParanoid Mode = ON

Option 1) TOR → VPN → Destination

- Police sees VPN’s public IP

- Police asks information from VPN company

- VPN company says a guy who uses TOR connected that IP address but we don’t know who he is.

- Police will try to find TOR user..

Option 2) VPN → TOR → Destination

- Police sees TOR exit node

- Police will try to find TOR user..

But in the meantime

- VPN company knows the real IP who are connecting the TOR

- If Police and VPN company contacts somehow, you are f*!%+d

Instant Messaging

Golden Rules

- It should be open source so that everyone can investigate the code

- Encryption mechanism should be approved by various security researchers.

- Encryption should be default and easy for everyone.

Three Major Encrypted Messaging Apps

- Whatsapp

- Telegram

- Signal

Whatsapp

Pros:

- Provides End-to-End Encryption

- Everybody uses it

Cons:

- Facebook owns it (Metadata sharing)

- Not open source

- Not forensics safe

- Backups your chat logs

Telegram

Pros:

- Provides End-to-End Encryption

- Lots of people uses it

- Forensics safe

- Open source

Cons:

- Encryption algorithm is weak

- Does not apply encryption by default

- Owned by an asshole called Pavel Durov

Signal

Pros:

- Provides End-to-End Encryption

- Forensics safe

- Open source

- Designed by world-famous crypto experts.

- It’s security is confirmed by lots of scientists + Edward Snowden.

- Applies encryption by default

Cons:

- It’s not so popular

Privacy Checklist For Messaging Apps

- Use Signal

- Use Signal

- Use Telegram or Whatsapp if Signal is not possible.

- Never ever use a home brew messaging app!

Operating Systems

Tails