SlideShare a Scribd company logo

Setting-up a .Onion address for your Website, v1.5

A
Alec Muffett

Setting up an .onion address allows websites to be accessed through the Tor network in order to provide greater privacy, security, and accessibility for users. There are several options for serving content on .onion addresses, including creating a dedicated onion site, configuring content management systems to be onion-aware, or installing an onion shim to rewrite requests and responses between a normal website and its onion domain. Considerations for onionifying a website include certifications, content leakage prevention, and whether to restrict certain features like payments over Tor.

Technology
1 of 20
Download to read offline
setting up a .onion address …for your website v1.5 - @alecmuffett 2017
why .onion? • you have an audience, or you have a community • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
how does onion help? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability • .onion => hard to block, hard to monitor • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
mobile ux? yes! • mac / win / linux • tor browser (integrated) • android • orbot (tor) + orfox (browser) • ios • onion browser • other ios in progress
so: what is .onion? top level domain name for the "onion" namespace
what is a namespace? • namespace is "an address & what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs tor browser • …they all connect you to a remote computer
how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: it is formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
wait, subdomains on
 a network address? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www…" bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
how do you
 choose addresses? • ipv4 addresses: you take what you are given (mostly) • ipv6 addresses: ditto • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: you "mine" one, a little like bitcoin • more mining => "better quality" address
how to serve .onion? several options: 1. set up a dedicated website with duplicate content • e.g.: various dedicated onion sites 2. make your CMS aware of ".onion" domain/traffic • e.g.: facebook 3. install an onion shim • e.g.: propublica, new york times
1. dedicated server • hypothetical: you have a separate web server, and it… • is configured to know about its onion address • serves duplicate content where necessary • essentially runs as a standalone service
2. onion-aware CMS • hypothetical: you have a web server, and it… • serves content to .com, .co.uk, .za, .in, … • distinct content for each domain / different URLs • why not just add yet another domain name? • tag all requests arriving from your .onion • ensure that such tagged requests are properly responded-to, citing your onion address(es)
3. onion shim • hypothetical: you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and tor • which bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • via custom engineering, or Enterprise Onion Toolkit
 (free, libre, open-source toolkit for enterprise onions)
summary
 (or: blend these together...) 1. dedicated onion site • rare, use-case dependent 2. onion-aware CMS • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
notes • don't forget to onionify your CDN where possible • try to avoid content-leakage between domains • accidentally wandering-off to the .com site • e.g. OAuth redirects • use horizontal load-balancing for backend scale • free solution (onionbalance) exists • onions (even via rewriting) are astonishingly efficient
finally • you will almost certainly need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • chiefly because payment providers sometimes block tor, and this can lead to poor user experiences…
summary • this is an evolving environment! • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge experimental fun!

Recommended

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Alec Muffett
 

Recommended

Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
I'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFI'm the butcher would you like some BeEF
I'm the butcher would you like some BeEFMichele Orru
 
Dark Fairytales from a Phisherman
Dark Fairytales from a PhishermanDark Fairytales from a Phisherman
Dark Fairytales from a PhishermanMichele Orru
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Practical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XPractical Phishing Automation with PhishLulz - KiwiCon X
Practical Phishing Automation with PhishLulz - KiwiCon XMichele Orru
 
Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Setting Up .Onion Addresses for your Enterprise, v3.5
Setting Up .Onion Addresses for your Enterprise, v3.5Alec Muffett
 
Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Alec Muffett
 
Web design - How the Web works?
Web design - How the Web works?Web design - How the Web works?
Web design - How the Web works?Mustafa Kamel Mohammadi
 
Wp 3hr-course
Wp 3hr-courseWp 3hr-course
Wp 3hr-courseRich Webster
 
But we're already open source! Why would I want to bring my code to Apache?
But we're already open source! Why would I want to bring my code to Apache?But we're already open source! Why would I want to bring my code to Apache?
But we're already open source! Why would I want to bring my code to Apache?gagravarr
 
Geek basics
Geek basicsGeek basics
Geek basicskdmcBerkeley at UC Berkeley
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationAri Elias-Bachrach
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?gagravarr
 
LecWeek2 lecture-whatiswebdesign-part2
LecWeek2 lecture-whatiswebdesign-part2LecWeek2 lecture-whatiswebdesign-part2
LecWeek2 lecture-whatiswebdesign-part2Katherine McCurdy-Lapierre, R.G.D.
 
Domain racer web-hosting
Domain racer web-hostingDomain racer web-hosting
Domain racer web-hostingimrose khan
 
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...venkata ravi kanth pokala
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a proNirmalthapa24
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Gopher & Search Engines.pptx
Gopher & Search Engines.pptxGopher & Search Engines.pptx
Gopher & Search Engines.pptxApurvSingh65
 
WordPress Solutions for Startups
WordPress Solutions for StartupsWordPress Solutions for Startups
WordPress Solutions for StartupsHafiz Rahman
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting BasicsChris Burgess
 
How to get started in Open Source!
How to get started in Open Source!How to get started in Open Source!
How to get started in Open Source!Pradeep Singh
 
Winning the Big Data SPAM Challenge__HadoopSummit2010
Winning the Big Data SPAM Challenge__HadoopSummit2010Winning the Big Data SPAM Challenge__HadoopSummit2010
Winning the Big Data SPAM Challenge__HadoopSummit2010Yahoo Developer Network
 
HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesBrent Shaffer
 
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)Mark Myers
 
How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2Alec Muffett
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Alec Muffett
 

More Related Content

Similar to Setting-up a .Onion address for your Website, v1.5

But we're already open source! Why would I want to bring my code to Apache?
But we're already open source! Why would I want to bring my code to Apache?But we're already open source! Why would I want to bring my code to Apache?
But we're already open source! Why would I want to bring my code to Apache?gagravarr
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?gagravarr
 
Domain racer web-hosting
Domain racer web-hostingDomain racer web-hosting
Domain racer web-hostingimrose khan
 
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...venkata ravi kanth pokala
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsSam Bowne
 
Gopher & Search Engines.pptx
Gopher & Search Engines.pptxGopher & Search Engines.pptx
Gopher & Search Engines.pptxApurvSingh65
 
WordPress Solutions for Startups
WordPress Solutions for StartupsWordPress Solutions for Startups
WordPress Solutions for StartupsHafiz Rahman
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacksFrank Victory
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting BasicsChris Burgess
 
How to get started in Open Source!
How to get started in Open Source!How to get started in Open Source!
How to get started in Open Source!Pradeep Singh
 
Winning the Big Data SPAM Challenge__HadoopSummit2010
Winning the Big Data SPAM Challenge__HadoopSummit2010Winning the Big Data SPAM Challenge__HadoopSummit2010
Winning the Big Data SPAM Challenge__HadoopSummit2010Yahoo Developer Network
 
HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesBrent Shaffer
 
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)Mark Myers
 

Similar to Setting-up a .Onion address for your Website, v1.5 (20)

Web design - How the Web works?
Web design - How the Web works?Web design - How the Web works?
Web design - How the Web works?
 
Wp 3hr-course
Wp 3hr-courseWp 3hr-course
Wp 3hr-course
 
But we're already open source! Why would I want to bring my code to Apache?
But we're already open source! Why would I want to bring my code to Apache?But we're already open source! Why would I want to bring my code to Apache?
But we're already open source! Why would I want to bring my code to Apache?
 
Geek basics
Geek basicsGeek basics
Geek basics
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentation
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
But We're Already Open Source! Why Would I Want To Bring My Code To Apache?
 
LecWeek2 lecture-whatiswebdesign-part2
LecWeek2 lecture-whatiswebdesign-part2LecWeek2 lecture-whatiswebdesign-part2
LecWeek2 lecture-whatiswebdesign-part2
 
Domain racer web-hosting
Domain racer web-hostingDomain racer web-hosting
Domain racer web-hosting
 
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
WORKSHOP ON OWN WEBSITE LAUNCHING On March, 11th Sunday 2018 Morning 10 A.M ...
 
Recon like a pro
Recon like a proRecon like a pro
Recon like a pro
 
CNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating ApplicationsCNIT 121: 14 Investigating Applications
CNIT 121: 14 Investigating Applications
 
Gopher & Search Engines.pptx
Gopher & Search Engines.pptxGopher & Search Engines.pptx
Gopher & Search Engines.pptx
 
WordPress Solutions for Startups
WordPress Solutions for StartupsWordPress Solutions for Startups
WordPress Solutions for Startups
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting Basics
 
How to get started in Open Source!
How to get started in Open Source!How to get started in Open Source!
How to get started in Open Source!
 
Winning the Big Data SPAM Challenge__HadoopSummit2010
Winning the Big Data SPAM Challenge__HadoopSummit2010Winning the Big Data SPAM Challenge__HadoopSummit2010
Winning the Big Data SPAM Challenge__HadoopSummit2010
 
HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our Lives
 
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)The Dev-Admin Chimera: Customising Connections (with Gab Davis)
The Dev-Admin Chimera: Customising Connections (with Gab Davis)
 

More from Alec Muffett

How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2Alec Muffett
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Alec Muffett
 
You and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetYou and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetAlec Muffett
 
Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Alec Muffett
 
How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1Alec Muffett
 
Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Alec Muffett
 

More from Alec Muffett (6)

How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2How To Think Clearly About Cybersecurity v2
How To Think Clearly About Cybersecurity v2
 
Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3Sex, Lies & Instant Messenger v3
Sex, Lies & Instant Messenger v3
 
You and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the NetYou and Your Phone are Huge Threats to the Net
You and Your Phone are Huge Threats to the Net
 
Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2Sex, Lies and Instant Messenger v2
Sex, Lies and Instant Messenger v2
 
How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1How To Think Clearly About Cybersecurity v1
How To Think Clearly About Cybersecurity v1
 
Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1Sex, Lies and Instant Messenger v1
Sex, Lies and Instant Messenger v1
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Setting-up a .Onion address for your Website, v1.5

  • 1. setting up a .onion address …for your website v1.5 - @alecmuffett 2017
  • 2. why .onion? • you have an audience, or you have a community • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
  • 3. how does onion help? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability • .onion => hard to block, hard to monitor • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
  • 4.
  • 5. mobile ux? yes! • mac / win / linux • tor browser (integrated) • android • orbot (tor) + orfox (browser) • ios • onion browser • other ios in progress
  • 6.
  • 7. so: what is .onion? top level domain name for the "onion" namespace
  • 8. what is a namespace? • namespace is "an address & what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
  • 9. how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs tor browser • …they all connect you to a remote computer
  • 10. how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: it is formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
  • 11. wait, subdomains on
 a network address? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www…" bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
  • 12. how do you
 choose addresses? • ipv4 addresses: you take what you are given (mostly) • ipv6 addresses: ditto • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: you "mine" one, a little like bitcoin • more mining => "better quality" address
  • 13. how to serve .onion? several options: 1. set up a dedicated website with duplicate content • e.g.: various dedicated onion sites 2. make your CMS aware of ".onion" domain/traffic • e.g.: facebook 3. install an onion shim • e.g.: propublica, new york times
  • 14. 1. dedicated server • hypothetical: you have a separate web server, and it… • is configured to know about its onion address • serves duplicate content where necessary • essentially runs as a standalone service
  • 15. 2. onion-aware CMS • hypothetical: you have a web server, and it… • serves content to .com, .co.uk, .za, .in, … • distinct content for each domain / different URLs • why not just add yet another domain name? • tag all requests arriving from your .onion • ensure that such tagged requests are properly responded-to, citing your onion address(es)
  • 16. 3. onion shim • hypothetical: you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and tor • which bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • via custom engineering, or Enterprise Onion Toolkit
 (free, libre, open-source toolkit for enterprise onions)
  • 17. summary
 (or: blend these together...) 1. dedicated onion site • rare, use-case dependent 2. onion-aware CMS • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
  • 18. notes • don't forget to onionify your CDN where possible • try to avoid content-leakage between domains • accidentally wandering-off to the .com site • e.g. OAuth redirects • use horizontal load-balancing for backend scale • free solution (onionbalance) exists • onions (even via rewriting) are astonishingly efficient
  • 19. finally • you will almost certainly need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • chiefly because payment providers sometimes block tor, and this can lead to poor user experiences…
  • 20. summary • this is an evolving environment! • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge experimental fun!