Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Friends Don't Let Friends Browse Unencrypted: Running a VPN for friends and family

239 views

Published on

In late March 2017, Congress passed a law making it possible for your ISP to sell sensitive private information about their customers -- including their detailed browsing history. Interest in VPN services immediately spiked. But using a VPN doesn't actually solve this problem, it just pushes it further downstream -- because there's nothing preventing your VPN provider from doing similiar undesirable things. That's not to mention that more than half the VPNs in the Google Play store don't actually encrypt your web traffic.

So, how are you going to protect yourself? More over, how are you going to help your less technically sophisticated friends and family protect themselves? Chances are, if you're at this conference, you have the technical skills to set up and run your own VPN service, which you can also make available to friends and family. (There's even a chance that all of you using the VPN together might provide better cover for your collective privacy.)

Attendees at this talk will learn about various Open Source alternatives that simplify setting up a VPN. The talk will discuss the pros and cons of hosting this VPN service within the US, versus outside the US. Enabling the VPN on a per-computer basis versus a whole network approach will also be discussed. Other, related, privacy-enhancing services (such as centralized ad blocking) will also be covered.

With great nerdery comes great responsibility -- come learn how you can help yourself and your friends and family preserve their privacy!

As presented at OpenWest, 12 Jul 2017

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Friends Don't Let Friends Browse Unencrypted: Running a VPN for friends and family

  1. 1. friends don’t let friends browse unencrypted john sj anderson | @genehack | openwest | 13 jul 2017 1 — Helping Friends - OpenWest 2017 – @genehack
  2. 2. running a vpn for friends & family john sj anderson | @genehack | openwest | 13 jul 2017 2 — Helping Friends - OpenWest 2017 – @genehack
  3. 3. more accurate subtitle helping non-technical friends & family internet safe john sj anderson | @genehack | openwest | 13 jul 2017 3 — Helping Friends - OpenWest 2017 – @genehack
  4. 4. hi, i’m john. a/k/a @genehack 4 — Helping Friends - OpenWest 2017 – @genehack
  5. 5. vp, technology 5 — Helping Friends - OpenWest 2017 – @genehack
  6. 6. iʼm also not a lawyer and anything that sounds like iʼm giving you legal advice is all in your imagination disclaimer: not a “security guy”6 — Helping Friends - OpenWest 2017 – @genehack
  7. 7. who is already providing tech support for friends or family members? not as a part of your job who provides web hosting? who provides email hosting? anybody already running a vpn for friends and family? quick poll7 — Helping Friends - OpenWest 2017 – @genehack
  8. 8. inspiration 8 — Helping Friends - OpenWest 2017 – @genehack
  9. 9. 9 — Helping Friends - OpenWest 2017 – @genehack
  10. 10. thereʼs a lot of things that are “best practices” or even “common sense” to us that non-technical folks are probably not too familiar with we all live on the internet now -- it's real life, like Deb said in her keynote this morning -- but the knowledge of how to do that safely isn't distributed evenly. it's like if most of the people driving around in cars had never had any sort of training or driver education -- but (generally, broadly speaking) we have. so what can we do to help reduce the number of flaming wrecks on the shoulder of the internet? safe internetting 10 — Helping Friends - OpenWest 2017 – @genehack
  11. 11. one of the biggest unmet personal infosec needs, in my opinion, relates to privacy. and some recent changes, earlier this year, have brought this more to mind privacy concerns 11 — Helping Friends - OpenWest 2017 – @genehack
  12. 12. Weʼve had some changes this year in terms of whatʼs legally allowed when it comes to online privacy Congressional Review Act, or CRA, is a law passed in 1996 that gives Congress the power to override regulations created by government agencies. Senator Jeff Flake of Arizona introduced a law to overrule an FCC rule limiting what ISPs could do with your info. After 10 minutes of floor discussion, it passed on a 50-48 party line vote. Moved on to the House where it passed 231-189, again on a straight party line vote Signed into law by Pres Trump, 3 April 2017 recent changes 12 — Helping Friends - OpenWest 2017 – @genehack
  13. 13. Hereʼs the significance of the date of this tweet... 13 — Helping Friends - OpenWest 2017 – @genehack
  14. 14. who benefits? primary beneficiaries are large monopoly ISPs -- Cox, Comcast, Time Warner, Charter -- and wireless providers -- AT&T, Verizon -- who are now free to continue collecting data about everything you do online cui bono?14 — Helping Friends - OpenWest 2017 – @genehack
  15. 15. what can they do?15 — Helping Friends - OpenWest 2017 – @genehack
  16. 16. and incognito mode wonʼt stop them sell your browsing history16 — Helping Friends - OpenWest 2017 – @genehack
  17. 17. monitor & sell your searches17 — Helping Friends - OpenWest 2017 – @genehack
  18. 18. inject tracking ads18 — Helping Friends - OpenWest 2017 – @genehack
  19. 19. inject tracking cookies19 — Helping Friends - OpenWest 2017 – @genehack
  20. 20. install traffic monitors on phones20 — Helping Friends - OpenWest 2017 – @genehack
  21. 21. https://www.eff.org/deeplinks/2017/03/five-creepy-things-your- isp-could-do-if-congress-repeals-fccs-privacy-protections (all these predictions per the eff.) 21 — Helping Friends - OpenWest 2017 – @genehack
  22. 22. due to the “natural monopoly” nature of internet service, most people donʼt have any choice, so market-based remedies to this seem pretty unlikley how many folks have a choice in their internet provider? what can we do?22 — Helping Friends - OpenWest 2017 – @genehack
  23. 23. 23 — Helping Friends - OpenWest 2017 – @genehack
  24. 24. searchinternethistory.com 24 — Helping Friends - OpenWest 2017 – @genehack
  25. 25. political action is great, but what can you do in the meantime, not just for yourself, but for friends and family what can we practically do? 25 — Helping Friends - OpenWest 2017 – @genehack
  26. 26. available for firefox, chrome, and opera developed by the EFF keeps your browser using HTTPS as much as possible for sites that support it. if they default to HTTP, or if they put HTTP links into HTTPS pages, this extension notices and keeps you on the HTTPS version of the site using HTTPS limits the amount of info your ISP can see about what youʼre doing -- they can still see who youʼre talking to, but they can no longer see what youʼre talking about note that this is good, but metadata analysis can still reveal a ton of info about you 26 — Helping Friends - OpenWest 2017 – @genehack
  27. 27. also developed by EFF also Chrome, Firefox, Opera looks at third-party content being loaded by web pages, specifically trying to see if that third party content looks like itʼs tracking you across sites when it detects those sorts of things, it blocks the third party site can also be configured to allow the third party site content to load, but to discard the cookies and other tracking attempts only tracks third parties - if you go to a “first party” site (e.g., Facebook), Privacy Badger wonʼt do anything 27 — Helping Friends - OpenWest 2017 – @genehack
  28. 28. moving from privacy issues to more “safe internetting” in general, thereʼs two factor authentication Two-Factor Authentication 28 — Helping Friends - OpenWest 2017 – @genehack
  29. 29. something you have + something you know can use physical token, 2FA app, or get SMSʼd code needs to be set up per service or provider who has (and uses) a Yubikey? who uses 2FA via app or SMS for work stuff? for personal stuff? who has helped get a friend or family 2FA 29 — Helping Friends - OpenWest 2017 – @genehack
  30. 30. moving on from “safe internetting” to just “safe computing”, thereʼs hard drive encryption. thereʼs pretty good os level support for this in everything now, just turn it on. hard drive encryption 30 — Helping Friends - OpenWest 2017 – @genehack
  31. 31. rather than a simple 4 digit PIN think about whether the convenience of fingerprint unlock outweighs the risk pro-tip: if you reboot your phone, it will require the passphrase the first time use a passphrase on your phone31 — Helping Friends - OpenWest 2017 – @genehack
  32. 32. get one and use it. i like 1password use a distinct password per site if you encrypted your hard drive, but that password in here for sure! also put 2FA recovery tokens in here you can also use these to generate the answers to security questions password managers 32 — Helping Friends - OpenWest 2017 – @genehack
  33. 33. they donʼt track you, simple as that they also have this awesome feature called bang searches, come find me afterwards and iʼll show you who uses DDG? useduckduckgo 33 — Helping Friends - OpenWest 2017 – @genehack
  34. 34. signal is secure SMS TOR is onion routing -- routes your web browser requests via a network of bridge nodes, obscuring what info youʼre looking for who is using signal? who is using tor? anybody set friends or family up on signal or tor? personally tor is on the wrong side of the use signal use tor 34 — Helping Friends - OpenWest 2017 – @genehack
  35. 35. now we get to the meat if you follow the security or infosec space at all, you probably noticed around the end of march this year, vpn articles spiked up. vpns35 — Helping Friends - OpenWest 2017 – @genehack
  36. 36. everybody had an opinion 36 — Helping Friends - OpenWest 2017 – @genehack
  37. 37. which is not to say that there was any sort of consensus 37 — Helping Friends - OpenWest 2017 – @genehack
  38. 38. even the more mainstream internet publications started getting in on the action, although they were a bit …further behind on some of the critical questions 38 — Helping Friends - OpenWest 2017 – @genehack
  39. 39. a vpn creates an encrypted tunnel between your computer and some other computer on the internet -- the endpoint. anything your computer sends to the internet looks like it comes out of that endpoint instead of coming out of your computer. what does a vpn actually do?39 — Helping Friends - OpenWest 2017 – @genehack
  40. 40. that’s it. 40 — Helping Friends - OpenWest 2017 – @genehack
  41. 41. not that that’s nothin’ 41 — Helping Friends - OpenWest 2017 – @genehack
  42. 42. in the way you want …but it may not address all privacy issues 42 — Helping Friends - OpenWest 2017 – @genehack
  43. 43. gimme a vpn already gosh 43 — Helping Friends - OpenWest 2017 – @genehack
  44. 44. if i absolutely had to get a non-technical friend or family member onto a vpn, for whatever reason, this is where i would start option #1 opera 44 — Helping Friends - OpenWest 2017 – @genehack
  45. 45. option #2 pay for it45 — Helping Friends - OpenWest 2017 – @genehack
  46. 46. subscription vpn service 46 — Helping Friends - OpenWest 2017 – @genehack
  47. 47. reminder 47 — Helping Friends - OpenWest 2017 – @genehack
  48. 48. so pick you a good one 48 — Helping Friends - OpenWest 2017 – @genehack
  49. 49. just one example: some estimates are that up to 20% of the vpns in the android app store do nothing “good one” 49 — Helping Friends - OpenWest 2017 – @genehack
  50. 50. review site50 — Helping Friends - OpenWest 2017 – @genehack
  51. 51. 51 — Helping Friends - OpenWest 2017 – @genehack
  52. 52. clearly you need to do some careful research plus things are changing all the time iʼm not going to give any recommendations let’s focus on this 52 — Helping Friends - OpenWest 2017 – @genehack
  53. 53. also has general vpn choice guide, info on email providers, etc etc. thatoneprivacysite.net 53 — Helping Friends - OpenWest 2017 – @genehack
  54. 54. just to reprise this idea: thereʼs basically no way (other than maybe luck) that a non-technical user is going to be able to handle this stuff and vpns are useful for way more stuff than just preventing your isp from snooping on you -- theyʼre super handy for things like internet banking or shopping from your favorite coffee shop 54 — Helping Friends - OpenWest 2017 – @genehack
  55. 55. option #3 D I Y55 — Helping Friends - OpenWest 2017 – @genehack
  56. 56. option #3a streisandhttps://github.com/jlund/streisand 56 — Helping Friends - OpenWest 2017 – @genehack
  57. 57. features 57 — Helping Friends - OpenWest 2017 – @genehack
  58. 58. L2TP/IPsec OpenConnect (Cisco AnyConnect compatible) OpenVPN (with stunnel wrapping so VPN connections look like normal SSL traffic) WireGuard (next-gen kernel-based VPN for Linux -- the future of VPNs, basically) various VPN servers 58 — Helping Friends - OpenWest 2017 – @genehack
  59. 59. OpenSSH + SOCKS proxy for forwarding HTTP/HTTPS (poor manʼs VPN) sslh protocol demuxer allows Nginx, OpenSSH, and OpenVPN to all share port 443 (normally the HTTPS port), making it less likely youʼll be blocked Tor bridge relay other connection options 59 — Helping Friends - OpenWest 2017 – @genehack
  60. 60. firewall is automatically set up and configured for known services; all other traffic is blocked automatic process monitoring and restarting if services crash unattended updates configured so the server is automatically kept fully up to date sysadmin stuff 60 — Helping Friends - OpenWest 2017 – @genehack
  61. 61. also provides a website with documentation on how to configure and use all these services documentation 61 — Helping Friends - OpenWest 2017 – @genehack
  62. 62. live demo62 — Helping Friends - OpenWest 2017 – @genehack
  63. 63. ill-advised livedemo? 63 — Helping Friends - OpenWest 2017 – @genehack
  64. 64. option #3b algohttps://github.com/trailofbits/algo 64 — Helping Friends - OpenWest 2017 – @genehack
  65. 65. features 65 — Helping Friends - OpenWest 2017 – @genehack
  66. 66. only supports strongswan (ipsec) with modern crypto single vpn server 66 — Helping Friends - OpenWest 2017 – @genehack
  67. 67. SSH supported for tunneling only other connection options 67 — Helping Friends - OpenWest 2017 – @genehack
  68. 68. installs ad-blocking DNS server optional ad-blocking 68 — Helping Friends - OpenWest 2017 – @genehack
  69. 69. auto generates profiles for apple devices (ios and macos) apple device profiles 69 — Helping Friends - OpenWest 2017 – @genehack
  70. 70. configure in advance comes with helper script to add/remove users multi-user support 70 — Helping Friends - OpenWest 2017 – @genehack
  71. 71. algo is a bit less expansive than streisand -- they actually tout things they donʼt support anti-features 71 — Helping Friends - OpenWest 2017 – @genehack
  72. 72. doesn’t support older protocols and cipher suites 72 — Helping Friends - OpenWest 2017 – @genehack
  73. 73. no tor73 — Helping Friends - OpenWest 2017 – @genehack
  74. 74. on most platforms doesn’t require client software 74 — Helping Friends - OpenWest 2017 – @genehack
  75. 75. literal quote… does not claim to provide anonymity or censorship avoidance 75 — Helping Friends - OpenWest 2017 – @genehack
  76. 76. …and a second literal quote i know who the FSB is, i know who the FSM is .. MSS, DGSE, i have no idea does not claim to protect you from the fsb, mss, dgse, or fsm 76 — Helping Friends - OpenWest 2017 – @genehack
  77. 77. sinatra vs algo77 — Helping Friends - OpenWest 2017 – @genehack
  78. 78. sinatra 78 — Helping Friends - OpenWest 2017 – @genehack
  79. 79. better docs 79 — Helping Friends - OpenWest 2017 – @genehack
  80. 80. more types of software 80 — Helping Friends - OpenWest 2017 – @genehack
  81. 81. wireguard 81 — Helping Friends - OpenWest 2017 – @genehack
  82. 82. snazzy logo 82 — Helping Friends - OpenWest 2017 – @genehack
  83. 83. algo83 — Helping Friends - OpenWest 2017 – @genehack
  84. 84. more opinionated 84 — Helping Friends - OpenWest 2017 – @genehack
  85. 85. integrated ad blocking 85 — Helping Friends - OpenWest 2017 – @genehack
  86. 86. i haven't really used either one of them enough, particularly in the "support non-technical friends" arena, to have a strong informed opinion i would love to hear from people that do, particularly if you're here now and end up going down this road fulldisclosure86 — Helping Friends - OpenWest 2017 – @genehack
  87. 87. we’re not done yet! 87 — Helping Friends - OpenWest 2017 – @genehack
  88. 88. after you’ve got it set up...88 — Helping Friends - OpenWest 2017 – @genehack
  89. 89. test it89 — Helping Friends - OpenWest 2017 – @genehack
  90. 90. 90 — Helping Friends - OpenWest 2017 – @genehack
  91. 91. both of these will give you information about how much is leaking from your VPN/browser ipleak.net whoer.net 91 — Helping Friends - OpenWest 2017 – @genehack
  92. 92. what are other longer term things you can do? 92 — Helping Friends - OpenWest 2017 – @genehack
  93. 93. make some noise93 — Helping Friends - OpenWest 2017 – @genehack
  94. 94. 94 — Helping Friends - OpenWest 2017 – @genehack
  95. 95. block ads95 — Helping Friends - OpenWest 2017 – @genehack
  96. 96. bonus points: install this on your VPN server (or just use algoʼs built-in ad blocker) and get DNS-level ad blocking DNS-level is nicer than browser-based plugins because it works on everything -- phones, tablets, etc. anybody already running anything like this? 96 — Helping Friends - OpenWest 2017 – @genehack
  97. 97. call your reps97 — Helping Friends - OpenWest 2017 – @genehack
  98. 98. at the end of the day, the real solution for this problem is legislative. the best way to make that happen is to let the people who represent you in congress know that this is an important issue to you. call, write, visit town halls. 98 — Helping Friends - OpenWest 2017 – @genehack
  99. 99. give to eff99 — Helping Friends - OpenWest 2017 – @genehack
  100. 100. electronic privacy information center donate your money, donate your time -- both these organizations are critical in the fight to protect internet privacy (not to mention little things like net neutrality) give to epic100 — Helping Friends - OpenWest 2017 – @genehack
  101. 101. finally… 101 — Helping Friends - OpenWest 2017 – @genehack
  102. 102. when you go to set this up for other folks -- particularly non-technical folks -- consider carefully whether youʼre going to be giving them an overall improvement to their quality of life virtually everything iʼve talked about in this talk -- even the simple plugins like HTTPS Everywhere and Privacy Badger -- have the potential to break things. theyʼre generally well- maintained, have whitelists that work around known issues, and so on -- but itʼs still possible to end up with stuff broken, in a way that a non-technical person is going to have a hard time figuring out much like dynamite, these are very useful tools in trained hands, but can be pretty disruptive if used wrongly. itʼs fine to inflict them on yourself, naturally… but try to have some empathy for the folks youʼre “helping” too 102 — Helping Friends - OpenWest 2017 – @genehack
  103. 103. thanks 103 — Helping Friends - OpenWest 2017 – @genehack
  104. 104. OpenWest organizers 104 — Helping Friends - OpenWest 2017 – @genehack
  105. 105. YOU!105 — Helping Friends - OpenWest 2017 – @genehack
  106. 106. 106 — Helping Friends - OpenWest 2017 – @genehack
  107. 107. contrary to what Deb said this morning, i really do like criticism. this is the first time i'm giving this talk, and i'm very interested in what people think of it -- so either use this joined in page to leave me anonymous feedback, or tweet at me, or just find me after the talk and let me know what you think give me all the feedbacks please https://joind.in/talk/ad7b5 107 — Helping Friends - OpenWest 2017 – @genehack
  108. 108. bibliography * https://www.eff.org/deeplinks/2017/03/five-creepy-things- your-isp-could-do-if-congress-repeals-fccs-privacy- protections ^ * https://medium.freecodecamp.org/tor-signal-and-beyond- a-law-abiding-citizens-guide-to-privacy-1a593f2104c3 ^ * http://nymag.com/selectall/2017/03/its-time-for-a- grassroots-movement-for-online-privacy.html questions? give me all the feedbacks please https://joind.in/talk/ad7b5 108 — Helping Friends - OpenWest 2017 – @genehack

×