Helping Non-Tech Friends Browse Safely

friends don’t
let friends
browse unencrypted
john sj anderson | @genehack | openwest | 13 jul 2017
1 — Helping Friends - OpenWest 2017 – @genehack

running a
vpn for
friends & family

more accurate subtitle
helping
non-technical
friends & family
internet safe

hi, i’m john.
a/k/a @genehack

vp, technology

iʼm also not a lawyer and anything that sounds like iʼm
giving you legal advice is all in your imagination
disclaimer:
not a
“security guy”6 — Helping Friends - OpenWest 2017 – @genehack

who is already providing tech support for
friends or family members?
not as a part of your job
who provides web hosting?
who provides email hosting?
anybody already running a vpn for friends
and family?
quick
poll7 — Helping Friends - OpenWest 2017 – @genehack

inspiration

thereʼs a lot of things that are “best practices” or even “common sense” to us that non-technical
folks are probably not too familiar with
we all live on the internet now -- it's real life, like Deb said in her keynote this morning -- but the
knowledge of how to do that safely isn't distributed evenly. it's like if most of the people driving
around in cars had never had any sort of training or driver education -- but (generally, broadly
speaking) we have. so what can we do to help reduce the number of flaming wrecks on the
shoulder of the internet?
safe internetting

one of the biggest unmet personal infosec needs, in my opinion, relates to privacy.
and some recent changes, earlier this year, have brought this more to mind
privacy concerns

Weʼve had some changes this year in terms of whatʼs legally
allowed when it comes to online privacy
Congressional Review Act, or CRA, is a law passed in 1996 that
gives Congress the power to override regulations created by
government agencies.
Senator Jeff Flake of Arizona introduced a law to overrule an
FCC rule limiting what ISPs could do with your info. After 10
minutes of floor discussion, it passed on a 50-48 party line vote.
Moved on to the House where it passed 231-189, again on a
straight party line vote
Signed into law by Pres Trump, 3 April 2017
recent changes

Hereʼs the significance of the date of this tweet...

who benefits?
primary beneficiaries are large monopoly ISPs -- Cox, Comcast, Time
Warner, Charter -- and wireless providers -- AT&T, Verizon -- who are
now free to continue collecting data about everything you do online
cui
bono?14 — Helping Friends - OpenWest 2017 – @genehack

what can
they do?15 — Helping Friends - OpenWest 2017 – @genehack

and incognito mode wonʼt stop them
sell your
browsing
history16 — Helping Friends - OpenWest 2017 – @genehack

monitor & sell
your
searches17 — Helping Friends - OpenWest 2017 – @genehack

inject
tracking
ads18 — Helping Friends - OpenWest 2017 – @genehack

inject
tracking
cookies19 — Helping Friends - OpenWest 2017 – @genehack

install
trafﬁc monitors
on phones20 — Helping Friends - OpenWest 2017 – @genehack

https://www.eff.org/deeplinks/2017/03/five-creepy-things-your-
isp-could-do-if-congress-repeals-fccs-privacy-protections
(all these predictions per the eff.)

due to the “natural monopoly” nature of internet service,
most people donʼt have any choice, so market-based
remedies to this seem pretty unlikley
how many folks have a choice in their internet provider?
what can
we do?22 — Helping Friends - OpenWest 2017 – @genehack

searchinternethistory.com

political action is great, but what can you do in the
meantime, not just for yourself, but for friends and family
what can we
practically do?

available for firefox, chrome, and opera
developed by the EFF
keeps your browser using HTTPS as much as possible
for sites that support it. if they default to HTTP, or if they
put HTTP links into HTTPS pages, this extension
notices and keeps you on the HTTPS version of the site
using HTTPS limits the amount of info your ISP can see
about what youʼre doing -- they can still see who youʼre
talking to, but they can no longer see what youʼre
talking about
note that this is good, but metadata analysis can still
reveal a ton of info about you

also developed by EFF
also Chrome, Firefox, Opera
looks at third-party content being loaded by web pages,
specifically trying to see if that third party content looks
like itʼs tracking you across sites
when it detects those sorts of things, it blocks the third
party site
can also be configured to allow the third party site
content to load, but to discard the cookies and other
tracking attempts
only tracks third parties - if you go to a “first party” site
(e.g., Facebook), Privacy Badger wonʼt do anything

moving from privacy issues to more “safe internetting” in
general, thereʼs two factor authentication
Two-Factor
Authentication

something you have + something you know
can use physical token, 2FA app, or get
SMSʼd code
needs to be set up per service or provider
who has (and uses) a Yubikey?
who uses 2FA via app or SMS for work
stuff? for personal stuff?
who has helped get a friend or family
2FA

moving on from “safe internetting” to just “safe
computing”, thereʼs hard drive encryption.
thereʼs pretty good os level support for this in everything
now, just turn it on.
hard drive
encryption

rather than a simple 4 digit PIN
think about whether the convenience of
fingerprint unlock outweighs the risk
pro-tip: if you reboot your phone, it will require
the passphrase the first time
use a
passphrase
on your phone31 — Helping Friends - OpenWest 2017 – @genehack

get one and use it. i like 1password
use a distinct password per site
if you encrypted your hard drive, but
that password in here for sure!
also put 2FA recovery tokens in here
you can also use these to generate the
answers to security questions
password
managers

they donʼt track you, simple as that
they also have this awesome feature called
bang searches, come find me afterwards and iʼll
show you
who uses DDG?
useduckduckgo

signal is secure SMS
TOR is onion routing -- routes your web
browser requests via a network of bridge
nodes, obscuring what info youʼre looking for
who is using signal?
who is using tor?
anybody set friends or family up on signal or
tor?
personally tor is on the wrong side of the
use signal
use tor

now we get to the meat
if you follow the security or infosec space at all, you
probably noticed around the end of march this year, vpn
articles spiked up.
vpns35 — Helping Friends - OpenWest 2017 – @genehack

everybody had an opinion

which is not to say that there was any sort of consensus

even the more mainstream internet publications started getting in on the action,
although they were a bit …further behind on some of the critical questions

a vpn creates an encrypted tunnel between your computer and some other computer on
the internet -- the endpoint. anything your computer sends to the internet looks like it
comes out of that endpoint instead of coming out of your computer.
what does a
vpn
actually do?39 — Helping Friends - OpenWest 2017 – @genehack

that’s it.

not that
that’s
nothin’

in the way you want
…but it may not
address all
privacy issues

gimme a vpn
already gosh

if i absolutely had to get a non-technical friend or family member
onto a vpn, for whatever reason, this is where i would start
option #1
opera

option #2
pay for it45 — Helping Friends - OpenWest 2017 – @genehack

subscription
vpn service

reminder

so pick you
a good one

just one example: some estimates are that up to 20% of the
vpns in the android app store do nothing
“good one”

review
site50 — Helping Friends - OpenWest 2017 – @genehack

clearly you need to do some careful
research
plus things are changing all the time
iʼm not going to give any recommendations
let’s focus
on this

also has general vpn choice guide, info on email providers,
etc etc.
thatoneprivacysite.net

just to reprise this idea: thereʼs basically no way (other than maybe luck)
that a non-technical user is going to be able to handle this stuff
and vpns are useful for way more stuff than just preventing your isp
from snooping on you -- theyʼre super handy for things like internet
banking or shopping from your favorite coffee shop

option #3
D I Y55 — Helping Friends - OpenWest 2017 – @genehack

option #3a
streisandhttps://github.com/jlund/streisand

features

L2TP/IPsec
OpenConnect (Cisco AnyConnect compatible)
OpenVPN (with stunnel wrapping so VPN
connections look like normal SSL traffic)
WireGuard (next-gen kernel-based VPN for
Linux -- the future of VPNs, basically)
various VPN servers

OpenSSH + SOCKS proxy for forwarding HTTP/HTTPS
(poor manʼs VPN)
sslh protocol demuxer allows Nginx, OpenSSH, and
OpenVPN to all share port 443 (normally the HTTPS
port), making it less likely youʼll be blocked
Tor bridge relay
other connection options

firewall is automatically set up and configured for known
services; all other traffic is blocked
automatic process monitoring and restarting if services
crash
unattended updates configured so the server is
automatically kept fully up to date
sysadmin stuff

also provides a website with documentation on how to
configure and use all these services
documentation

live
demo62 — Helping Friends - OpenWest 2017 – @genehack

ill-advised
livedemo?

option #3b
algohttps://github.com/trailofbits/algo

features

only supports strongswan (ipsec) with modern crypto
single vpn server

SSH supported for tunneling only
other connection options

installs ad-blocking DNS server
optional ad-blocking

auto generates profiles for apple devices (ios and macos)
apple device proﬁles

configure in advance
comes with helper script to add/remove
users
multi-user support

algo is a bit less expansive than streisand -- they actually
tout things they donʼt support
anti-features

doesn’t support
older protocols
and cipher suites

no tor73 — Helping Friends - OpenWest 2017 – @genehack

on most platforms
doesn’t require
client software

literal quote…
does not claim
to provide
anonymity or
censorship avoidance

…and a second literal quote
i know who the FSB is, i know who the FSM
is .. MSS, DGSE, i have no idea
does not claim to
protect you from
the fsb, mss, dgse, or fsm

sinatra
vs
algo77 — Helping Friends - OpenWest 2017 – @genehack

sinatra

better docs

more types of software

wireguard

snazzy logo

algo83 — Helping Friends - OpenWest 2017 – @genehack

more opinionated

integrated
ad blocking

i haven't really used either one of them enough, particularly in the
"support non-technical friends" arena, to have a strong informed
opinion
i would love to hear from people that do, particularly if you're here now
and end up going down this road
fulldisclosure86 — Helping Friends - OpenWest 2017 – @genehack

we’re not
done yet!

after
you’ve got
it set up...88 — Helping Friends - OpenWest 2017 – @genehack

test it89 — Helping Friends - OpenWest 2017 – @genehack

both of these will give you information about how much is
leaking from your VPN/browser
ipleak.net
whoer.net

what are other
longer term
things you can do?

make some
noise93 — Helping Friends - OpenWest 2017 – @genehack

block
ads95 — Helping Friends - OpenWest 2017 – @genehack

bonus points: install this on your VPN server (or just use
algoʼs built-in ad blocker) and get DNS-level ad blocking
DNS-level is nicer than browser-based plugins because
it works on everything -- phones, tablets, etc.
anybody already running anything like this?

call
your
reps97 — Helping Friends - OpenWest 2017 – @genehack

at the end of the day, the real solution for this problem is legislative. the best way to make
that happen is to let the people who represent you in congress know that this is an
important issue to you. call, write, visit town halls.

give
to
eff99 — Helping Friends - OpenWest 2017 – @genehack

electronic privacy information center
donate your money, donate your time -- both these
organizations are critical in the fight to protect internet
privacy (not to mention little things like net neutrality)
give
to
epic100 — Helping Friends - OpenWest 2017 – @genehack

ﬁnally…

when you go to set this up for other folks -- particularly non-technical folks -- consider
carefully whether youʼre going to be giving them an overall improvement to their quality of life
virtually everything iʼve talked about in this talk -- even the simple plugins like HTTPS
Everywhere and Privacy Badger -- have the potential to break things. theyʼre generally well-
maintained, have whitelists that work around known issues, and so on -- but itʼs still possible
to end up with stuff broken, in a way that a non-technical person is going to have a hard time
figuring out
much like dynamite, these are very useful tools in trained hands, but can be pretty disruptive
if used wrongly. itʼs fine to inflict them on yourself, naturally… but try to have some empathy
for the folks youʼre “helping” too

thanks

OpenWest
organizers

YOU!105 — Helping Friends - OpenWest 2017 – @genehack

contrary to what Deb said this morning, i really do like criticism. this is the first time i'm giving this
talk, and i'm very interested in what people think of it -- so either use this joined in page to leave me
anonymous feedback, or tweet at me, or just find me after the talk and let me know what you think
give me all the feedbacks please
https://joind.in/talk/ad7b5

bibliography
* https://www.eff.org/deeplinks/2017/03/five-creepy-things-
your-isp-could-do-if-congress-repeals-fccs-privacy-
protections
^ * https://medium.freecodecamp.org/tor-signal-and-beyond-
a-law-abiding-citizens-guide-to-privacy-1a593f2104c3
^ * http://nymag.com/selectall/2017/03/its-time-for-a-
grassroots-movement-for-online-privacy.html
questions?
give me all the feedbacks please
https://joind.in/talk/ad7b5

Helping Non-Tech Friends Browse Safely

Recommended

Recommended

More Related Content

Similar to Helping Non-Tech Friends Browse Safely

Similar to Helping Non-Tech Friends Browse Safely (20)

More from John Anderson

More from John Anderson (20)

Recently uploaded

Recently uploaded (20)

Helping Non-Tech Friends Browse Safely