A+ TLS config for ubuntu + nginx

These are my config notes for getting a brand new Xenial + nginx server online.

Install Tor:

sudo apt install tor apt-transport-tor
sudo gpg --keyserver keys.gnupg.net --recv 886DDD89

sudo gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Edit the sources list by removing all the lines and adding these:

sudo vim /etc/apt/sources.list
deb tor+https://deb.torproject.org/torproject.org xenial main
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb tor+https://mirrors.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse

Update the repos:

sudo add-apt-repository ppa:nginx/development
sudo add-apt-repository ppa:ondrej/nginx
sudo add-apt-repository ppa:ondrej/php
sudo add-apt-repository ppa:certbot/certbot

Add “tor+” to all of the above sources files in /etc/apt/sources.list.d/*

Update and restart:

sudo apt update && sudo apt upgrade -V && sudo apt autoremove -y && sudo shutdown -r now

Install nginx + certbot:

sudo apt install python-certbot-nginx -V

Add server_name to (replacing “_”):

sudo vim /etc/nginx/sites-available/default
server_name domain.net;

Get Let’s Encrypt cert for nginx:

sudo certbot --nginx -d domain.net --redirect --rsa-key-size 4096

Further harden the TLS config:

sudo vim /etc/letsencrypt/options-ssl-nginx.conf
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!3DES:!aNULL:!DES:!DSS:!eNULL:!EXP:!IDEA:!LOW:!MD5:!PSK:!RC4:!SEED";

Delete the “SSL” config:

sudo vim /etc/nginx/nginx.conf

Edit the nginx config:

sudo vim /etc/nginx/sites-available/default

replace “domain.net”

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name domain.net www.domain.net;
        return 301 https://$host$request_uri;

        server_tokens off;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name domain.net www.domain.net;
        root /var/www;
        index index.php index.html index.htm;

        ssl_certificate /etc/letsencrypt/live/domain.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain.net/privkey.pem;
        include /etc/letsencrypt/options-ssl-nginx.conf;
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

        server_tokens off;
        add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";

        resolver 8.8.8.8 8.8.4.4 valid=300s;

# For WordPress

        location / {
        try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                include fastcgi_params;
        }
}

Validate the nginx config:

sudo nginx -t

Restart nginx:

sudo service nginx restart

Add inbound and outbound firewall rules:

sudo ufw limit 22/tcp && sudo ufw allow 443/tcp && sudo ufw allow out 22/tcp && sudo ufw allow out 25/tcp && sudo ufw allow out 53/udp && sudo ufw allow out 443/tcp && sudo ufw allow out 9050/tcp && sudo ufw deny out to any && sudo ufw enable && sudo ufw status verbose

Emerald Onion has launched

The Tor network and the dot-Onion infrastructure was built for security and privacy in mind. This is unlike legacy clear-net infrastructure, which over the years needs routine and dramatic security changes just to solve evolving security chalenges. Even worse, modern security for legacy clear-net infrastructure does very little for privacy.

Vulnerable populations were the first to recognize the importance of a technology like “the onion router”. The United States Navy was among the first. The United States Navy, realizing very quickly that an anonymity network that only the Navy would use, means that any of its users is from the United States Navy. To this day, the United States Navy researches and develops Tor.

Once Tor became a public, free, and open source project, journalists and other vulnerable populations with life-and-death threat models started using Tor. These survivors and human-rights defenders were a red flag. By the time Tor became a public project, other departments from the United States Government, such as the United States National Security Agency, had already started conducting global mass surveillance.

The United States Navy knew and continues to know that Tor is a necessity in a world dominated by global mass surveillance and by governments that strive for power and control.

Emerald Onion envisions a world where access and privacy are the defaults. This is necessary to ensure human rights including access to information and freedom of speech. If we do not have human rights online, we will not have them offline, either. We launched, officially, on July 2nd. We are looking at 10 year+ development and sustainability. Please reach out to me if you can think of ways to support our work.

Briar is in public beta

What is Briar?

Briar is a messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. Unlike traditional messaging tools such as email, Twitter or Telegram, Briar doesn’t rely on a central server – messages are synchronized directly between the users’ devices. If the internet’s down, Briar can sync via Bluetooth or Wi-Fi, keeping the information flowing in a crisis. If the internet’s up, Briar can sync via the Tor network, protecting users and their relationships from surveillance.

I am incredibly excited about this project. Please test and use the beta. The direct APK is linked from the manual, but here it is: https://briarproject.org/beta/briar.apk

Hi everyone,

I'm pleased to announce the first public beta release of Briar for Android. Briar is a messaging app designed for activists, journalists, and anyone else who needs a safe, easy and robust way to communicate. You can download it from Google Play:

https://play.google.com/store/apps/details?id=org.briarproject.briar.beta

If you prefer not to use Google Play, the manual has instructions for downloading the app from our website:

https://briarproject.org/manual

This release includes private messaging, forums, blogs and RSS import. We'd love to hear your feedback on these features, as well as any others you'd like to see. Please feel free to send your feedback to contact@briarproject.org, or anonymously via the app.

The beta will expire on 21 October. When it expires, your contacts and messages will be lost. The expiry period is designed to limit the impact of any security issues and allow us to make incompatible changes before the 1.0 release.

I hope you enjoy testing Briar!

Cheers,
Michael

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
briar-announce mailing list
briar-announce at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/briar-announce

Tor onion service config fails due to apparmor

Thanks for the help, Will.

After installing Tor on a new host and configuring an onion service, Tor fails due to AppArmor.

Hosts:

Xenial server
Zesty server

Tor versions:

0.3.0.9
0.3.1.4-alpha

Errors:

/var/log/kern.log |grep tor

Jul 20 19:25:58 zesty kernel: [   50.173406] audit: type=1400 audit(1500578758.127:16): apparmor="DENIED" operation="capable" profile="system_tor" pid=2148 comm="tor" capability=2  capname="dac_read_search"

/var/log/syslog |grep tor

Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.111 [notice] Tor 0.3.1.4-alpha (git-c3fe257c709bb814) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.112 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.113 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.114 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 20 19:26:00 zesty tor[2190]: Jul 20 19:26:00.114 [notice] Read configuration file "/etc/tor/torrc".
Jul 20 19:26:00 zesty tor[2190]: Configuration was valid
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.223 [notice] Tor 0.3.1.4-alpha (git-c3fe257c709bb814) running on Linux with Libevent 2.0.21-stable, OpenSSL 1.0.2g, Zlib 1.2.11, Liblzma N/A, and Libzstd N/A.
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.224 [notice] Tor can't help you if you use it wrong! Learn how to be safe at https://www.torproject.org/download/download#warning
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.225 [notice] This version is not a stable Tor release. Expect more bugs than usual.
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.225 [notice] Read configuration file "/usr/share/tor/tor-service-defaults-torrc".
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.226 [notice] Read configuration file "/etc/tor/torrc".
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.233 [warn] Directory /var/lib/tor/hidden_service/ cannot be read: Permission denied
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.234 [warn] Failed to parse/validate config: Failed to configure rendezvous options. See logs for details.
Jul 20 19:26:00 zesty tor[2193]: Jul 20 19:26:00.235 [err] Reading config failed--see warnings above.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Main process exited, code=exited, status=1/FAILURE
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Unit entered failed state.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Failed with result 'exit-code'.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Service hold-off time over, scheduling restart.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Start request repeated too quickly.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Unit entered failed state.
Jul 20 19:26:00 zesty systemd[1]: tor@default.service: Failed with result 'exit-code'.

Solution

sudo vim /etc/apparmor.d/abstractions/tor

add this line to capabilities:

capability dac_read_search,

reload:

sudo /etc/init.d/apparmor reload
sudo service tor restart

Secure Messenger Scorecard (May 2017)

This is a draft.

I’m starting my own Secure Messenger Scorecard based on the prior work of the Electronic Frontier Foundation.

I’ve created an editable Google Doc for further input and development.

Please scrutinize and contribute by Signaling me, emailing me or tweeting at me.

version one

version two

version three

New Democracy Now! Onion site

g6klvb3bfx3zuivo.onion

Updated onion address: 2017-March-12

Previous work here. The rest of this post is for technical individuals.

I recently moved to a new DN! host mainly because my first one ran out of storage. I apologize to those who have not been able to access the last few episodes due to the old host filling up. This post goes into detail how I set up the new Onion site, then how I transfered all ~30GB of existing DN! files from the old host to the new host exclusively over Onion service via rsync.

Some major improvements include Democracy Now’s third-party services all support TLS now, meaning that I’m finally pulling the media via authenticated and confidential (exluding metadata) transport. My updated shell script is below, too.

Please note that not all traffic is torified on the new host, the DN! files are still getting pulled via port 443, outbound DNS via port 53, and outbound NTP via port 123.

New Ubuntu 16.04 Xenial host setup

Enable the firewall disabling all inbound traffic:

sudo ufw enable

Edit sources list to remove the default HTTP repositories with Wikimedia’s HTTPS repositories for transport authentication and confidentiality, and add Tor Project’s HTTP repository:

sudo vim /etc/apt/sources.list

deb https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb http://deb.torproject.org/torproject.org xenial main

Add the Tor Project’s signing key:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Update, upgrade, then install the necessary Tor apps:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install tor apt-transport-tor deb.torproject.org-keyring -y

Edit torrc to create the new Onion site address:

sudo vim /etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:80

Restart the Tor service:

sudo service tor restart

View the new Onion site address:

sudo cat /var/lib/tor/hidden_service/hostname

gnt3qwmxads3yytg.onion

Edit sources list again so that the repositories will only be accessed via Onion service:

sudo vim /etc/apt/sources.list

deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb tor+http://deb.torproject.org/torproject.org xenial main

Update and upgrade again, and install Open-SSH, all via Onion service:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install openssh-server

Configure the SSH server to only accept connections via Onion service. Also harden the security a little bit:

sudo vim /etc/ssh/sshd_config

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
AllowUsers user
Port 22
ListenAddress 127.0.0.1:22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 30
ServerKeyBits 4096
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes

Install Apache via Onion service, disable status, and enable headers:

sudo apt-get install apache2 -y && sudo a2dismod status && sudo a2enmod headers

Configure the index view of the Apache landing page:

sudo vim /etc/apache2/mods-available/autoindex.conf

IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 SuppressDescription SuppressIcon SuppressLastModified SuppressRules
IndexOrderDefault Descending Name

Harden Apache’s security configuration:

sudo vim /etc/apache2/conf-available/security.conf

Directory /
AllowOverride None
Require all denied
/Directory

Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies: "master-only"
Header always set Cache-Control: "private, no-cache, no-store, must-revalidate"
Header always set Pragma: "no-cache"
Header always set Expires: "-1"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-Frame-Options: "sameorigin"
Header always set Content-Security-Policy: "default-src 'self'"
ServerTokens Prod
ServerSignature Off
TraceEnable Off

Configure Apache to only work via Onion service:

sudo vim /etc/apache2/sites-available/000-default.conf

VirtualHost 127.0.0.1:80
ServerName gnt3qwmxads3yytg.onion
ServerAdmin gnt3qwmxads3yytg@yawnbox.com
DocumentRoot /var/www/html/dn/
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
/VirtualHost

Restart Apache:

sudo service apache2 restart

Make the DN! directory:

sudo mkdir /var/www/html/dn/

Create the shell script to download the various DN! files:

sudo vim dn-now.sh

#!/bin/bash
cd /var/www/html/dn/
daystamp=$(date +%Y-%m%d)
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://publish.dvlabs.com/democracynow/360/dn$daystamp.mp4
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://traffic.libsyn.com/democracynow/dn$daystamp-1.mp3
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://ewheel.democracynow.org/dn$daystamp.mp4.torrent
chown -R www-data:www-data /var/www/html/dn/*

Edit cron to check for new files every 15 minutes:

sudo crontab -e

*/15 * * * * bash /home/user/dn-now.sh

Old Host

Configure SSH client to be torified:

sudo vim /etc/ssh/ssh_config

Host *
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
CheckHostIP no

Rsync all files from the old host (ssh client) to the new host (ssh server):

sudo rsync -v /var/www/html/dn/* user@gnt3qwmxads3yytg.onion:/var/www/html/dn/

Cheers!

The Tor Project has lied to its community

I can confirm the identity of River given many of the details in her story, but I do not know her personally. I am a victim of rape and I sympathize with presumed victim’s stories. I was also a guest of Jacob’s on the evening of New Year’s Day, 2016.

“One night, he invited me to his apartment to party with him and several of his friends. I went, not thinking twice that anything further would happen.”

There were no parties going on this particular evening. It was in the late afternoon when our group started organizing to go to a sauna in Berlin. It was then that several more of Jacob’s friends came over to the apartment. There were at least 10 of us. At the sauna, after we all checked in, and since I am an introvert, I split off from the group because I wanted to relax and get dinner. After finishing my dinner, I found Jacob and rest of the group eating and I sat down on the edge of a couch to join them. After dinner I ran into River, and she asked me, “Do you know where our group is?” I told her the group’s last known location. She said thanks, we both smiled at each other, and I remember thinking that she seemed like a really nice person. She walked away and I continued exploring the sauna by myself. That was the extent of our interactions that entire evening.

After the sauna had closed and after getting back to Jacob’s apartment, there were five of us watching a movie together. The four of them were on Jacob’s couch that was pulled out so they could lay down under blankets. I was not on the couch; instead, I was off to the side sitting on a pad. Jacob and River were laying on the far side of the couch. Two other guys, both gay, one of whom had a flu-like illness, were laying together nearest me. I was effectively a “fifth wheel” since I was not part of either one of the two couples on the couch.

“We were all watching a movie and laying on the couch. I was intoxicated and not thinking clearly, and it took me a long time to realize that Jacob was going down on me, in the living room, in front of everyone.”

During my visit to Berlin, there was only one night at Jacob’s where we had watched a movie together while River was visiting. I did not witness anyone having alcoholic beverages or any manner of drugs on this night. There were no stops between the sauna and returning to Jacob’s apartment. Several hours had passed between dinner and the sauna closing if any of them had consumed anything intoxicating at dinner. Very little time had passed between getting back to the apartment and starting the movie.

I cannot claim that River did not have any drugs or alcohol, I just never saw any. I had brought Jacob a bottle of my favorite vodka that I purchased in Iceland on my way to Germany. However, I explicitly remember Jacob not having any mixers available, so I did not even have any despite wanting to. Again, this does not mean that River did not become intoxicated somehow, it just seems very unlikely.

“I told him that I didn’t want to do that, and he stopped, but I don’t remember what happened directly after, except that he kept touching me.”

Jacob and River were cuddling throughout the entire movie.

“The next thing I realized was that one of his friends in the room was touching me instead of Jacob, and Jacob told me to go down on his friend.”

The two others, both gay men, were not only calmly snuggling, but the one that was not ill had been spending the entire day taking care of the other. I did not witness any contact between either of the two couples on the couch, and I was within arms-reach of the two nearest me.

“I asked them to stop, however, all of this had a really long delayed effect because I was under the influence. I remember that his friend did stop touching me when I asked him to, but then I blacked out, and when I came back into consciousness, Jacob was having sex with me in the living room with his friends watching.”

If River was under the influence of drugs or alcohol, it was not apparent. At no point did she seem distressed or abused. Nobody did. Further, no one was having sex in the living room.

“When I realized what was happening, I told him again that I wanted to stop. He asked why, and I said that I didn’t want to do that in front of everyone. He did stop, but replied, “well, that’s what we’ve already been doing”, and turned extremely cold. Eventually, he brought me into his room, but I felt like I was being punished.”

I remember River saying something to the effect of “Not in front of everyone.” What River said was the only thing I heard from the four of them throughout the entire movie. What she said sounded playful, and not distressed, but it does mean stop. As far as I could tell, nothing happened thereafter; but again, I had not witnessed any sexual actions throughout the entire movie between anyone.

“Later, when I wasn’t intoxicated, Jacob again tried to persuade me to have sex with his group of friends. It was then an easy no, but it felt like I lost my value to him once I wouldn’t give him or his followers what they wanted.”

If Jacob was pressuring River to have sex with him or with anyone else, nobody else had any part in it. When the movie ended, I immediately laid down on the pad and went to sleep. The gay couple, if they were not asleep already, did the same.

“What is most terrifying about this situation is how systematic all of this felt. I very clearly understood that I was not the only woman that this happened to. In fact, it felt like this was quite common. No one in that situation seemed to be surprised about any of these events, chillingly, not even my discomfort.”

I am very sorry, River. I would never tolerate violence against a woman, not even a stranger. If I had perceived any actions of abuse against you, I would have said something. I would not be Jacob’s friend if I had ever witnessed him abusing anyone, especially to the degree that you are purporting.

This allegation against Jacob is serious. However, I do not condone The Tor Project’s biased investigation against him. Rebecca Speer, who was asked to speak to me at Shari Steele’s request, did not include my account because she did not take it. I was advised not to speak to an investigator without a witness present, and by the time I was ready to speak to Rebecca, she had already left Seattle.

This testimony was referenced by The Guardian.

Tor terminology

When people talk about Tor, they may be talking about one or more of the following Tor technologies:

The Tor protocol: The official system of rules governing the operations of Core Tor, the Tor network, and Onion Services. The Tor protocol is publically accessible and readily criticized and updated.

Core Tor: A software application that uses strong encryption and careful routing designed to hide network identifying information of a computer from other Internet resources. Core Tor is a free software technology that can be built into many Internet products.

The Tor network: The global network of volunteer administrators that make Tor technologies so powerful and successful. Volunteers run “relays” that route Core Tor and Onion Services traffic on the Internet. Each of the 7,000+ volunteer relay administrators can be one of three “hops” that Tor users rely on when using Tor technologies. When Tor technologies are used, traffic moves from relay to relay, each hop preventing network origination information from being shared with the destination. Relay diversity is important because of the need for distributed trust.

Tor Browser: A customized Firefox web browser that has been modified to minimize identity exposure to web sites and advertising networks. One critical feature of Tor Browser is that all traffic from Tor Browser is routed through the Tor network.

Onion Services: The dot-onion (.onion) is a special “top level domain”, similar to dot-com (.com), but is only recognized by Tor technologies. Onion Services are diverse and can be used by many types of Internet tools. For example, in Tor Browser, connecting to a dot-onion web address allows a server to share content anonymously with a user, and allows a user to connect anonymously to a server. Onion Services are also used by instant messaging tools like Ricochet which allows people to anonymously chat with each other.

Pluggable Transports: It is commonplace for governments or corporations to limit, censor, or surveil their Internet users. Pluggable Transports are free software technologies that allow Tor technologies to bypass censorship by changing how the Internet traffic appears to these restrictive organizations.

EMET profile for Tor Browser

Windows 10 (1511)
EMET: 5.5.5871.31890
Tor Browser: 6.0.1

When configured, EMET will force enable these security settings for Tor Browser:

  • DEP
  • SEHOP
  • NullPage
  • HeapSpray
  • EAF
  • EAF+
  • MandatoryASLR
  • BottomASLR
  • LoadLib
  • MemProt
  • Caller
  • StackPivot
  • ASR

Steps

(Perform the following if you want to manually set this up and not simply import my prepared config file.)

  • Import > CertTrust
  • Import > Popular Software
  • Import > Recommended Software
  • Quick Profile Name: Maximum security settings
  • Apps > Add Application (find and select your *\Tor Browser\Browser\firefox.exe)
  • Enable ASR for Mozilla Firefox then add these ASR modules
    flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
  • Enable ASR for Tor Project Firefox then add the same ASR modules:
    flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
  • Enable ASR for Mozilla Firefox plugin container then add the same ASR modules:
    flash*.ocx;njpi*.dll;jp2iexp.dll;vgx.dll;msxml4*.dll;wshom.ocx;scrrun.dll;vbscript.dll
  • Disable “SimExecFlow” for Tor Project Firefox.

Example EMET view

2016-06-11

Draft proposal for Debian

Draft:

Please criticize and contribute to the following:

Objectives:

1. The Debian community must immediately deploy Onion Service repositories for Debian downloads and Debian updates.

2. The Debian community must immediately deploy TLS-only repositories for Debian downloads and Debian updates as a backup to Onion Services.

3. The Debian community must assure anonymity-by-default with the employment of apt-transport-tor by changing existing update mechanics.

4. The Debian community must deploy a critical security update to patch existing update mechanics to use Onion Services.

Summary:

Current and future network adversaries can view and retain which repositories Debian servers connect to (metadata), when (metadata), the updates schedule (information), which updates are being applied (information), and into which operating system (information). This is incredibly valuable information for any adversary wanting to perform minimal attacks against Debian servers. Further, with cheapening data retention, mass-hacking and nation-state dominance is supported by the Debian community’s short-sighted update mechanics.

Edward Snowden has given the world factual evidence describing the capabilities and objectives of global powers and the Debian community has willfully neglected these problems.

Arguments:

Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye — Presented to the Human Rights Council in May 2015:

(2)(A)(9) “Notably, encryption protects the content of communications but not identifying factors such as the Internet Protocol (IP) address, known as metadata. Third parties may gather significant information concerning an individual’s identity through metadata analysis if the user does not employ anonymity tools. Anonymity is the condition of avoiding identification. A common human desire to protect one’s identity from the crowd, anonymity may liberate a user to explore and impart ideas and opinions more than she would using her actual identity. […] Users seeking to ensure full anonymity or mask their identity (such as hiding the original IP address) against State or criminal intrusion may use tools such as virtual private networks (VPNs), proxy services, anonymizing networks and software, and peer-to-peer networks.1 One well-known anonymity tool, the Tor network, deploys more than 6,000 decentralized computer servers around the world to receive and relay data multiple times so as to hide identifying information about the end points, creating strong anonymity for its users.”

Debian powers more than one-third of the Internet. The default behavior of Debian is to obtain updates via clear-text HTTP which discloses the following to any network adversary:

1. Server location via IP address
2. Update server via IP address and DNS resolution
3. Server update schedule
4. Server version
5. Application version

This information, via network analysis, would allow any passive or active adversary to plan effective attacks against any Debian server.

Not all adversaries are the same because not all servers have the same risk. Like people, data mining and data retention capabilities pose grave risks for infrastructure. HTTPS may resolve some of the above information leakage depending on an adversary’s capabilities, but Tor resolves them to a greater degree. Anonymity provides the strongest security and is the only acceptably secure option given the facts.

XKEYSCORE, a FVEY technology, is one example of a modern threat to Internet infrastructure. Via Wikipedia:

On January 26, 2014, the German broadcaster Norddeutscher Rundfunk asked Edward Snowden in its TV interview: “What could you do if you would [sic] use XKeyscore?” and he answered:

“You could read anyone’s email in the world, anybody you’ve got an email address for. Any website: You can watch traffic to and from it. Any computer that an individual sits at: You can watch it. Any laptop that you’re tracking: you can follow it as it moves from place to place throughout the world. It’s a one-stop-shop for access to the NSA’s information.

You can tag individuals… Let’s say you work at a major German corporation and I want access to that network, I can track your username on a website on a form somewhere, I can track your real name, I can track associations with your friends and I can build what’s called a fingerprint, which is network activity unique to you, which means anywhere you go in the world, anywhere you try to sort of hide your online presence, your identity.”

The question posed to Edward Snowden was rightly focused on people. However, an XKEYSCORE-like system can trivially threaten any node on the Internet. If XKEYSCORE-like systems can be programmed to track nations, servers, or application installations, the Debian community must act.

Scenarios:

1. Debian server > https://update-server.onion

In scenario 1, operating system and application updates are obtained exclusively within the Tor network with an added layer of Certificate Authority validation ability. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.

2. Debian server > http://update-server.onion

In scenario 2, operating system and application updates are obtained exclusively within the Tor network. HTTP-based Certificate Authority, Domain Name System, and Border Gateway Protocol vulnerabilities do not exist.

3. Debian server > tor+https://update-server.org

In scenario 3, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTPS destination. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian servers retain anonymity but security risk is increased.

4. Debian server > tor+http://update-server.org

In scenario 4, operating system and application updates are obtained via Tor but must leave the Tor network to reach its HTTP destination. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist once the traffic traverses Tor exit relays onto the normal Internet. Debian server retain anonymity but security risk is increased.

5. Debian server > https://update-server.org

In scenario 5, operating system and application updates are obtained via normal Internet with minimal transport security. Server location information, update server information, and server update schedule information easily obtainable, and sophisticated attackers can obtain server version information and package version information. All HTTP-based Certificate Authority, Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.

6. Debian server > http://update-server.org

In scenario 6, the current Debian default, operating system and application updates are obtained via normal Internet with zero transport security. Server location information, update server information, server update schedule information, server version information, and package version information are trivially obtainable. All HTTP-based Domain Name System, Border Gateway Protocol, and Man-in-the-Middle vulnerabilities exist.