internet and personal privacy
TRANSCRIPT
![Page 1: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/1.jpg)
Internet andPersonal Privacy
Utku Sen
![Page 2: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/2.jpg)
Outline
- Web Browsing
- VPN and Privacy
- TOR and Privacy
- Instant Messaging
- Operating Systems and Privacy
![Page 3: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/3.jpg)
Threat Actors
- Local Government
- External Government (NSA, GCHQ etc.)
- Hackers
![Page 4: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/4.jpg)
Principles of Personal Privacy
1)Hide in plain sight
2)Protect deniability
3)Follow expert advices if you are not an expert
![Page 5: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/5.jpg)
Web Browsing
![Page 6: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/6.jpg)
HTTP Communication
User
ISPhurriyet.com.tr
Hurriyet.com.tr güncel haberleri göster
O ünlü o konu hakkında ne dedi? Çok şaşıracaksınız
![Page 7: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/7.jpg)
What ISP Can See
- DNS Request (website’s domain name)
- TCP Communication (website’s IP address)
- Whole content
![Page 8: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/8.jpg)
HTTPS Communication
User
ISPtwitter.com
Mjasd02*i9?samadn2?20217/&123jasmı
Kas02*12&&27371nWD(7230?(231n//2ja
![Page 9: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/9.jpg)
What ISP Can See
- DNS Request (website’s domain name)
- TCP Communication (website’s IP address)
- Encrypted Content (doesn’t make any sense)
![Page 10: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/10.jpg)
What About VPN?
![Page 11: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/11.jpg)
HTTP Communication over VPN
User
ISP hurriyet.com.trVPN Server
)82*9and
=*as928a )82*9and
=*as928a
Yarın 15:00’de buluşuyoruz
Ok kib
![Page 12: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/12.jpg)
What ISP Can See
- DNS Request (website’s domain name)
- TCP Communication (vpn server’s IP address)
- Encrypted Content (doesn’t make any sense)
![Page 13: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/13.jpg)
DNS Leak
User
ISP illegal.comVPN Server
)82*9and
=*as928a )82*9and
=*as928a
Yarın 15:00’de buluşuyoruz
Ok kib
ISP’s DNS Server
External DNS Server
![Page 14: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/14.jpg)
Solution
User
ISP illegal.comVPN Server
)82*9and
=*as928a )82*9and
=*as928a
Yarın 15:00’de buluşuyoruz
Ok kib
ISP’s DNS Server
External DNS Server
![Page 15: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/15.jpg)
Solution
![Page 16: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/16.jpg)
What ISP Can See
- TCP Communication (VPN Server’s IP address)
- Encrypted Content (doesn’t make any sense)
![Page 17: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/17.jpg)
Are We 100% Private?
![Page 18: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/18.jpg)
No
![Page 19: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/19.jpg)
Example Scenario
- You insulted somebody in hurriyet.com.tr’s comment section anonymously.
- That somebody wants to sue you.
![Page 20: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/20.jpg)
Example Scenario
- Hurriyet’s IT guy finds IP address of that anonymous person
- That IP address belongs to Acme VPN Company
- Court sends request to Acme VPN
- Acme VPN says “We don’t keep logs and we don’t care your request, lol bye”
![Page 21: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/21.jpg)
Case Closed?
![Page 22: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/22.jpg)
No
![Page 23: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/23.jpg)
Example Scenario
- Court asks ISP “Who were connected to Acme VPN’s IP address in 12 December 2016 at 15:21?”
- ISP checks and gives list of subscribers
![Page 24: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/24.jpg)
Best Case
- Ahmet Yılmaz / Zonguldak
- Muhittin Topalak / Kazlıçeşme
- Someone @Starbucks / İzmir Alsancak
- Ayşe Türk / İstanbul
- Someone @Bilgi Üniversitesi / İstanbul
Lots of people and location
![Page 25: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/25.jpg)
Worst Case
- Only you :(
![Page 26: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/26.jpg)
Average Case
- You
- 2 more people
![Page 27: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/27.jpg)
Average Case
- They don’t know which one of you is guilty
- Even they know somehow, they don’t have enough proof to blame you on court.
- They need confess.
- They will force you to confess.
![Page 28: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/28.jpg)
Privacy Checklist With VPN
- Use a VPN which protects you from DNS leaks.
- Use a VPN provider which doesn’t keep logs and protects privacy with laws.
- Don’t use unpopular VPN providers.
- Use a VPN which supports double-hop
- Don’t build your own VPN server (don’t be the only person who connects that server at specific time)
- If you really need to build your own VPN server, make it double hop
Paranoid Mode: ON
- Don’t connect internet from home, use public wifi hotspots.
- Stay away from cameras. Wear cap, sunglasses
- Don’t bring your mobile phone with you
![Page 29: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/29.jpg)
Choosing VPN Provider
- Company popularity, number of servers.
- Jurisdiction
- Logging
- Payment methods
- Features (double hop etc.)
- Do not trust reviews on TorrentFreak!
![Page 30: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/30.jpg)
https://thatoneprivacysite.net/vpn-comparison-chart/
![Page 31: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/31.jpg)
What About TOR?
![Page 32: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/32.jpg)
TOR (The Onion Router)
- Developed in the mid-1990s at the U.S. Naval Research Laboratory to protect U.S. intelligence communications
- After the Naval Research Laboratory released the code for Tor under a free license Dingledine, Mathewson and five others founded The Tor Project as a non-profit organization in 2006
![Page 33: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/33.jpg)
How TOR Works?
HTTP = Pen((Pmid(Pex(m))))→ Pmid(Pex(m)) → Pex(m) → m
HTTPS = Pser((Pex(Pmid(Pen(m)))))→ ..
![Page 34: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/34.jpg)
TOR
- Anyone can setup a tor node.
- Node lists are publicly available.
- Any organisation can block Entry nodes in order to block TOR access.
- Any organisation can block Exit nodes in order to protect their assets from TOR users.
![Page 35: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/35.jpg)
Tor Bridges
![Page 36: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/36.jpg)
Tor Bridges
- When using TOR suspicious or illegal
- When ISP banned all Entry nodes
- There is no publicly available Bridge list
- Still can be blocked but much more harder
![Page 37: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/37.jpg)
Tor Bridges
![Page 38: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/38.jpg)
Pluggable Transports
- StegoTorus Splits Tor streams across multiple connections to avoid packet size signatures, and embed the traffic flows in traces that look like html, javascript, or pdf.
- SkypeMorph transforms Tor traffic flows so they look like Skype Video
- Meek, ScrambleSuit etc.
![Page 39: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/39.jpg)
Are We Safe Now?
![Page 40: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/40.jpg)
No
![Page 41: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/41.jpg)
Correlation Attacks
- FBI, NSA etc. has lots of Exit nodes
- A ISP subscriber transferred 150kb data to unknown IP address at October 3 15.41:23
- An government-controlled exit node received exactly 150kb data at October 3 15.41:26
- Government knows that this data is sent by that ISP subscriber :(
![Page 42: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/42.jpg)
Other Methods
- Same with VPN users. (Ex: Harvard Bomb Hoax)
- +Firefox exploits
- +Personal information leakage
- +Useful information from FBI controlled TOR nodes
![Page 43: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/43.jpg)
Mixing TOR with VPNParanoid Mode = ON
![Page 44: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/44.jpg)
Option 1) TOR → VPN → Destination
- Police sees VPN’s public IP
- Police asks information from VPN company
- VPN company says a guy who uses TOR connected that IP address but we don’t know who he is.
- Police will try to find TOR user..
![Page 45: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/45.jpg)
Option 2) VPN → TOR → Destination
- Police sees TOR exit node
- Police will try to find TOR user..
But in the meantime
- VPN company knows the real IP who are connecting the TOR
- If Police and VPN company contacts somehow, you are f*!%+d
![Page 46: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/46.jpg)
Instant Messaging
![Page 47: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/47.jpg)
Golden Rules
- It should be open source so that everyone can investigate the code
- Encryption mechanism should be approved by various security researchers.
- Encryption should be default and easy for everyone.
![Page 48: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/48.jpg)
Three Major Encrypted Messaging Apps
- Telegram
- Signal
![Page 49: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/49.jpg)
Pros:
- Provides End-to-End Encryption
- Everybody uses it
Cons:
- Facebook owns it (Metadata sharing)
- Not open source
- Not forensics safe
- Backups your chat logs
![Page 50: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/50.jpg)
Telegram
Pros:
- Provides End-to-End Encryption
- Lots of people uses it
- Forensics safe
- Open source
Cons:
- Encryption algorithm is weak
- Does not apply encryption by default
- Owned by an asshole called Pavel Durov
![Page 51: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/51.jpg)
Signal
Pros:
- Provides End-to-End Encryption
- Forensics safe
- Open source
- Designed by world-famous crypto experts.
- It’s security is confirmed by lots of scientists + Edward Snowden.
- Applies encryption by default
Cons:
- It’s not so popular
![Page 52: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/52.jpg)
Privacy Checklist For Messaging Apps
- Use Signal
- Use Signal
- Use Telegram or Whatsapp if Signal is not possible.
- Never ever use a home brew messaging app!
![Page 53: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/53.jpg)
Operating Systems
![Page 54: Internet and Personal Privacy](https://reader036.vdocuments.net/reader036/viewer/2022070514/587ffc511a28ab3a1e8b6521/html5/thumbnails/54.jpg)
Tails