Serving Websites Privately Over Tor Onion Services (From Your Laptop!)

In this day and age when our data is consistently being tracked and profited off of, sharing information safely and securely is difficult. However, that does not necessarily mean that all network services are subject to such scrutiny. Users now have the ability to combine the security of HTTPS with the privacy benefits of Tor Browser and share information through Tor’s anonymous network services – Onion Services. By using an onion service, users can hide their location while active, connect to other Tor users, and retain their privacy throughout. [Read More]

DWeb versus Web3: An Intern's Journey!

Close your eyes and imagine. You are sitting, designing the next game-changing innovative idea; however, you are not worried about any information leakage or spread, as you are in control. You not only hold ownership of your data, but with each online activity, your fear of being tracked dissipates more. This new internet you explore on understands each input, tailoring the content to your specific needs as it no longer runs on basic commands, but rather uses the combination of technologies and concepts such as machine learning, big data, and decentralized ledger technology to process information in a smart, human-like manner. [Read More]

IETF114 Conference Report: Friday July 29, 2022

Day Five of the 114th IETF meeting in Philadelphia USA. For the rundown on Day Four, see my daily report. A quiet day today with only the Messaging Layer Security Working Group holding its session. Draft 16 of the MLS protocol completed last-call in mid-July and has been submitted for review after significant technical and editorial feedback from the working group. Are we getting close (again)? The MLS Architecture document was lightly revised and version 8 submitted for review. [Read More]

IETF114 Conference Report: Thursday July 28, 2022

Day Four of the 114th IETF meeting in Philadelphia USA. For the rundown on Day Three, see my daily report. At IETF112 (online) a formal Birds of a Feather (BoF) session was held on the concept of Privacy Preserving Measurement. A Working Group was chartered and, at IETF113 in Vienna, we were treated to an incredibly detailed presentation on Prio, an academic concept for supporting privacy in the context of Internet-scale measurement. [Read More]

IETF114 Conference Report: Wednesday July 27, 2022

*Day Three of the 114th IETF meeting in Philadelphia USA. For the rundown on Day Two, see my daily report. Interest is starting to consolidate on the need for additional definition for serving media over the QUIC transport layer, particularly for streaming and conferencing applications. Following an informal gathering at IETF113 in March 2022, a formal Birds of Feather session met today with a draft charter proposal and two draft documents describing the intended use cases and a protocol. [Read More]

IETF114 Conference Report: Tuesday July 26, 2022

Day Two of the 114th IETF meeting in Philadelphia USA. For the rundown on Day One, see my daily report. Lucas Pardue, of Cloudflare and co-chair of the QUIC Working Group, gave a not-so-tongue-in-cheek talk about the breakdown of the OSI layering model of the Internet. His focus was on the top of the stack, illustrating handsomely what QUIC and HTTP/3 have done (unknowingly to most) to our perception of layers. [Read More]

IETF114 Conference Report: Monday July 25, 2022

Day One of the 114th IETF meeting in Philadelphia USA. With privacy a key consideration in new protocol design, cryptography has become a major focus of IETF activities. The Internet Research Task Force (IRTF) has the Crypto Forum Research Group where new cryptography schemes are brought forward and vetted for use in IETF protocols. Well, new is a misnomer. Much of the mathematics has long been defined, at least at its core, and the work is rather being brought into the IETF context where important engineering considerations apply: use of memory (at rest or in flight), processing required, round-trips required, etc. [Read More]

IETF114 Hackathon Report: Sunday July 24, 2022

This post begins a daily blog, live from the 114th meeting of the Internet Engineering Task Force in Philadelpha Pennsylvania USA, July 23-29, 2022 (in-person meetings having restarted in March 2022 after the COVID pandemic abated). We’re focusing on standards activities of importance to the Internet Freedom community. The Hackathon event kicks off each IETF event, with projects that run the gamut from early implementations of just-emerging specifications to full multi-vendor interoperability testing of nearly-mature protocols. [Read More]

RightsCon Report: Surveillance and Facial Recognition: Protection or Instruments of Control?

Safety is one of the foremost questions we seek to answer as we roam about in our everyday lives, taking precautions to reduce the likelihood of all threats. It is the very reasoning behind the use of surveillance technology from civilians to the state government, as it hinders crime through fear of persecution and retribution. However, variables such as the time taken for assistance can limit this objective. In these instances, surveillance is not a means of protection, but rather justice, as facial recognition technology can discern the perpetrator to bring to justice. [Read More]

IETF113 Conference Report: Friday March 25, 2022

Final day of the 113th IETF meeting, in Vienna Austria. The IETF is looking to make a clear contribution to the problem of hyper-aggressive measurement of user activities on the Internet and the many misuses thereof. To do so, the IETF recognizes that some measurement is important but that many desirable measurements require data most people consider sensitive. It also recognizes that aggregated measurements often provide the most value, rather than individual ones. [Read More]

IETF113 Conference Report: Thursday March 24, 2022

Day four of the 113th IETF meeting, in Vienna Austria. Privacy Pass - originating at Cloudflare in 2017 as a solution to user frustration with CAPTCHA - has been in full swing as an IETF activity since mid-2020. Privacy Pass allows a client to solve some form of validity check (a CAPTCHA, a puzzle, a user-pass authentication) to then receive some number of tokens to be used at websites accepting Privacy Pass, thus eliminating the need to do a CAPTCHA at each site. [Read More]

IETF113 Conference Report: Wednesday March 23, 2022

Day three of the 113th IETF meeting, in Vienna Austria. Messaging Layer Security (MLS) is (finally) closing in on Last Call at protocol Draft 14 and architecture Draft 7 (which will be taken forward together). Sometimes referred to as the TLS for messaging systems, Messaging Layer Security creates a uniform secure group discussion protocol, scalable to very large groups and providing similarly uniform security guarantees across providers. The near completion of the architecture and protocol drafts, and commencement of interoperability testing has prompted the Working Group to dust off the Federation draft as the next object of their affection. [Read More]

IETF113 Conference Report: Tuesday March 22, 2022

Day two of the 113th IETF meeting, in Vienna Austria. The crisis in Ukraine is on everyone’s mind, lending immediacy to the work of the Global Access to the Internet for All (GAIA) Research Group. While past and continuing work has focused on Internet access for the world’s population (especially those disadvantaged by economics, distance, mobility, and social constraints) the situation in Ukraine resulting from military activities give cause for both concern and hope. [Read More]

IETF113 Conference Report: Monday March 21, 2022

It’s opening day at the 113th IETF meeting, the first in-person meeting in two years due to the COVID pandemic and being held in Vienna Austria. We’re focusing on standards activities of importance to the Internet Freedom community. New work is brought to the IETF via Birds-of-a-Feature sessions and also each technical area’s Dispatch Working Group. The Application area often sees the most unique and interesting ideas and this meeting was no exception. [Read More]

IETF113 Hackathon Project

This post begins a daily blog, live from IETF113 in Vienna Austria, March 19-25, 2022 (first in-person meeting after six remote-only meetings during the COVID pandemic). The Hackathon event kicks off IETF and, at this meeting, we picked up work originally done by one of our teammates implementing version 5 of Internet Draft HTTP Transport Authentication. HTTP Transport Authentication is designed to authenticate such protocol flows in a manner that does not reveal any information to an attacker during failure cases. [Read More]

Privacy Preserving Analytics in the Real World: Mailvelope Case Study

We love Mailvelope. It’s a popular browser extension for encrypting email messages. Now, Clean Insights is helping Mailvelope understand which webmail providers are most popular with their users so they can prioritize their development efforts. Anyone who has written software knows it takes hard work to craft a great user experience. That’s even more challenging in Mailvelope’s case. Their browser extension integrates with more than a dozen ever-changing third party webmail interfaces. [Read More]

Spearphishing for developers

I received an interesting email that points to a new direction in targeting developers to exploit them. This email is a reply to a message that I actually wrote to an email list in 2012, that was posted on a public thread on a public list. It also uses the name of a person that posted on that thread: “Paul Eggers”. Oddly, it did not use that person’s actual email from the original thread. [Read More]

IETF: Year End Review 2021

In terms of potential impact on Internet Freedom, it’s been a banner year at the Internet Engineering Task Force (IETF). QUIC (featuring the improved privacy and security of TLS1.3) reached Proposed Standard status, with implementations and rollouts from every major vendor on both server and client, and with multiple open source toolkit options for developers. Encrypted Client Hello for TLS1.3 gained traction via the DEfO project that, through pull requests, makes a huge privacy enhancement easily available to the major security library (OpenSSL) underpinning the Internet’s most important service engines (nginx, apache, lighttpd, haproxy on the server, even curl on the client). [Read More]

Debian over HTTPS

Debian’s package manager apt has a time-tested method of securely providing packages from the network built on OpenPGP signatures. Even though this signing method works well for verifying the indexes and package files, there are new threats that have become relevant as man-in-the-middle attacks and data mining become ever easier. Since 2013, apt developers have supported encrypted transport methods HTTPS and Tor Onion Service. We have been recommending their use since 2013. [Read More]

Implementing TLS Encrypted Client Hello

As part of the DEfO project, we have been working on accelerating the development Encrypted Client Hello (ECH) as standardized by the IETF. ECH is the next step in improving Transport Layer Security (TLS). TLS is one of the basic building blocks of the internet, it is what puts the S in HTTPS. The ECH standard is nearing completion. That is exciting because ECH can encrypt the last plaintext TLS metadata that it is possible to encrypt. [Read More]