Differences

This shows you the differences between two versions of the page.

--- start [2025/04/09 13:42] – usera
+++ start [2025/11/13 08:27] (current) – usera
@@ Line 1: / Line 1: @@
-====== Tor Workshop ======
+Welcome to the workshops Dokuwiki !
-==== The three types of encryption we usually talk about ====
-=== End to End Encryption ===
-Usually, this is how you interact with someone: each time you make a request to the internet (a Google search, sending a mail, sending a Signal message, going to Facebook, everything), you do not talk directly to the person you want to talk to (in case you want to share something with someone). There is always a middle man, called a //server//:
-{{ :e2e_description.png?600 |}}
-Every information that passes through the server can be seen by the server, which is administrated by some entity, which will at least cooperate with the police or other government agencies if needed.
-This is something that can be prevented by using End to End encrypted services. With such services, you encrypt your message on your own laptop, then send it to the server that will only pass it to someone, who will decrypt it on their own computer: the server only has access to encrypted data.
-{{ :e2e_description_2.png?600 |}}
-There is a separate workshop focusing on tools that are End to End encrypted.
-===In Transit Encryption===
-In transit encryption means that you encrypt your data on your computer, send it to the server that will decrypt it. Therefore it protects only against //eavedropping//, which means looking at the messages that flow in the optical fibers and networks.
-{{ ::in_transit_encryption.png?600 |}}
-Nowadays, this type of encryption is done by the https protocol (each time you use an address that starts with "https", it means that your communication with the server is encrypted in transit. This is relatively standard nowadays, and most browser will throw big warnings if you try to access a website with only a http address. This protocol uses //certificates// provided by a Trusted third party called a //Certification Authority// to ensure that you are talking to a genuine server. This is something you will see a lot in security protocol: we typically both want to **encrypt** and prove the **authenticity** of the entity you are talking to.
-You can see that you are protected usually with a small "lock" icon next to the address for example on Firefox:
-{{ ::lock_button_1.png?600 |}}
-{{ :lock_button_2.png?600 |}}
-{{ :lock_button_3.png?600 |}}
-You can see that the certificate for the website duckduckgo.com has been delivered by Digicert and that the encryption protocol is based on TLS, which stands for Transport Layer Security.
-===Full Disk Encryption===
-None of the two previous type of encryption will save you if your own personal computer gets stolen or taken by the police. This is why it is recommended to implement **full disk encryption**, which consists in encrypting your whole hard drive in a way that if you turn it off, no one, not even the FBI would be able to read the data on it without your password. If it is taken while "On", there are still ways to extract the data but they are quite involved. If it is not encrypted, it is extremely easy to access everything, even without your OS password (like your windows, mac or linux login).
-{{ ::full_disk_encryption.png?600 |}}
-There is a dedicated workshop for this.
-==== Where is Anonymity here? ====
-None of those 3 previous types of encryption will prevent institutions to know **who** is talking with **who**, even if they do not know **what** they are sending to each other. **Anonymity** is something much harder to set up than the previous simple encryption protocols I just mentioned.
-===Virtual Private Network (VPN)===
-You probably heard before of VPNs. This is how they work:
-{{ ::vpn.png?600 |}}
-It is a special server, which redirects every request you make to any server. Then, the destination server thinks it is talking to the VPN server. This can be useful to bypass regional bans on certain websites or services, and is used to remotely access a restricted network, like the one of your workplace. However, we should fight a popular believe that it provides anonymity: **this is completely wrong !**
-VPN services know who is talking to who, and they will collaborate with the police. It is even worse: VPNs are not even end to end encrypted, so on top of knowing who is talking to who, they know what people are sending to each other. In general, try to not use VPNs if possible.
-===The TOR network===
-The TOR network is an Open source project that aims at ensuring anonymity in a decentralized way. It consists of a lot of servers all over the world, called **nodes**, usually ran by volunteers (you should consider contributing by running your own, or donate to a Tor relay association !). Here is how it works:
-When you want to connect to a server through TOR, your computer will select three nodes: an entry node (sometimes called a guard node), a middle node and an exit node. It will then generate three symmetric encryption keys: K1, K2, and K3. It will distribute those keys securely (using asymmetric cryptography protocols) to the three nodes (the entry node has K1, the middle node has K2, the exit node has K3).
-{{ ::tor_functionning_1.jpg?600 |}}
-{{ :tor_functionning_2.jpg?600 |}}
-{{ :tor_functionning_3.jpg?600 |}}
-{{ :tor_functionning_4.jpg?600 |}}
-{{ :tor_functionning_5.jpg?600 |}}
-{{ :tor_functionning_6.jpg?600 |}}
-{{ :tor_functionning_7.jpg?600 |}}
-{{ :tor_functionning_8.jpg?600 |}}
-{{ :tor_functionning_9.jpg?600 |}}
-You can see that it is not accurate to say that Tor "encrypts" your traffic, as after the exit node your traffic is unencrypted. You need to still use HTTPS to add the last layer of encryption.
-However, it makes it very hard to find out who is talking to who. The server thinks it is talking to the exit node, the middle node knows only that it is talking to the entry node (it does not even know for sure that it is not an entry node itself !) and the exit node (which it does not know for sure that it is not just a middle node). Same for the entry node, who doesn't know for sure that your computer is not an entry node as well. Both the entry and middle nodes see only encrypted data.
-The exit node, however, sees clear data. It means that running an exit node is considered a high legal risk, if you do that at home you can be sure that you will have the police knocking at your door for antiterrorist investigation or something like this. Instead, you should donate to a tor relay association who will deploy those in datacenters. Also, the exit node is a bit of a weak point of the network, and there is actually some possibility of reducing the anonymity by spying at the beginning (before the entry node) and at the end (after the exit node) to see when data is transmitted and correlate it back to you.
-The Electronic Frontier Foundation (https://tor-https.eff.org/) did a nice graphic to explain what data people can get from you if you are using nothing/HTTPS and/or Tor:
-{{ ::eff_no_tor_no_https.png?600 |}}
-without anything, all data are accessible to everyone
-{{ ::eff_no_tor_with_https.png?600 |}}
-HTTPS alone will do in transit encryption. You will then hide the data to actors who do only eavesdropping along the way. You will not be anonymous.
-{{ ::eff_with_tor_no_https.png?600 |}}
-With Tor without HTTPS, you will be mostly anonymous, except if you log in to a server with your credentials. Also, you will communicate without encryption between the exit node and the destination server.
-{{ ::eff_with_tor_with_https.png?600 |}}
-With both Tor and HTTPS, you will be both anonymous and encrypted in transit.
-As you can see, the Tor network alone usually does not hide the fact that you are using Tor. There are ways to hide it though, using what is called a "bridge", which is a secret node (not listed publicly like the other members of the TOR network) that will be used instead of your entry node. It uses some technique to hide the fact that you are using Tor.
-==How to access Tor: the Tor Browser==
-You need to download it, it is available on most Linux distribution, MacOS, Windows and even Android: https://www.torproject.org/download/
-It is a good practice to verify the integrity (no one modified this program) and authenticity (it has been made by the actual developers of the Tor project) by checking the signature of softwares you download. This is done using PGP (there is a separate workshop about it). You should follow those steps:
-) Install GPG.
-   *For most Linux distribution (at least debian based such as Ubuntu, Debian or Linux Mint for example), enter in a terminal:
-<codedoc code>
-   sudo apt install gnupg
-</codedoc>
-                   * For Windows, download https://www.gpg4win.org
-                   * For Mac, first install homebrew if you did not do it before, entering in a terminal:
-<codedoc code>
-    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
-</codedoc>
-and then install gnupg with the command:
-<codedoc code>
-    brew install gnupg
-</codedoc>
-) Import the public key of the Tor Browser developers, whose unique fingerprint is 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290 (you can usually find this fingerprint on the website you download the software, in this case [[https://support.torproject.org/tbb/how-to-verify-signature/|here]]), with the command:
-<codedoc code>
-    ~~codedoc:clean:gpg --recv-key  0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290~~
-</codedoc>
-) Then you download both the software (here the Tor Browser installer), the signature (by clicking on signature next to it), put the in the same directory, open a terminal, go to this directory and enter:
-<codedoc code>
-    ~~codedoc:clean:gpg --verify filename.asc filename~~
-</codedoc>
-where filename is the filename of the installer. The result should be a paragraph with somewhere the mention "Good Signature". You can then execute the software and install the browser.
-After the install, you need to configure it, by adding a bridge, which is a good practice.
-) Go [[https://bridges.torproject.org/options|there]] and click on "Get Bridges".
-{{ ::bridge_tor_0.png?600 |}}
-) Copy the first line for example of the result
-{{ ::bridge_tor_0_1.png?600 |}}
-)Open the Tor Browser and go to Settings
-{{ ::bridge_tor_1.png?600 |}}
-) Then Connection
-{{ ::bridge_tor_2_bis.png?600 |}}
-) Then "Enter bridge addresses I know personally"
-{{ ::bridge_tor_3.png?600 |}}
-You can then paste the bridge value you copied before, click next and try to connect. If it does not work, try with another bridge until it does (go back to 1))
-You can now check your tor circuit, by clicking on the little path appearing next to the address bar in the Tor  Browser. It should look like this, indicating that your entry node has been replaced by the bridge:
-{{ :tor_circuit_with_bridge.png?600 |}}
-You can now browse with a good anonymity, the browser is based on Firefox. You will notice that the traffic is very low, due to how complex the routing is. Also, you will see that you will be kicked out of many website who do not like when people use Tor.
-Anyway, congratulation, the workshop is done ! OR IS IT?
-== Tor Hidden Services ==
-You will notice some things a bit weird sometimes, like this on certain websites:
-{{ ::onionize_1.png?300 |}}
-{{ ::onionize_2.png?300 |}}
-What happens if you click on them?
-{{ ::onionize_3.png?900 |}}
-What just happened? The address ends now in a .onion and is mostly random?
-Yes. This is your (maybe first?) entry into the **Dark Web**, as sometimes called by journalists, or Tor "Hidden Services". Those services do not appear on a google search for example, they can only be accessed with a connected Tor Browser, and it is extremely difficult, even for government agencies, to find out where the servers are located (although sometimes they manage to do it). Here is how this works:
-For a normal services accessed through Tor, the end server is outside the Tor network:
-{{ :tor_functionning_9_hidden_service.jpg?600 |}}
-{{ :tor_functionning_10_hidden_service.jpg?600 |}}
-{{ :tor_functionning_11_hidden_service.jpg?600 |}}
-This communication is done in a cleaver way so that no one knows about each other. Note that since the traffic never leave the Tor Network, you do not need HTTPS, and many Onion addresses are actually HTTP. Actually even though some services use HTTPS, it is a bit controversial to do so, as you then use a Certificate Authority to do it, which will identify where your servers are.
-When possible, try to use those services. Examples of website that comprises an onion version are Protonmail, duckduckgo, Tor, Facebook (!) and many others.
-=== OnionShare ===
-Let me present one hidden service that can be super useful: OnionShare. It is actually a software that creates temporary hidden services for specific purposes: sending files, receiving files, chatting or hosting a website. Note that using this method, you will both be End to End encrypted and anonymous, something that not even Signal can do for you.
-Go to the [[https://onionshare.org/|website]] (there is an onion version as well, now that you know how to do it:
-http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/
-Download the installer, and as before download also the signature, then import the three following public keys entering those commands in a terminal:
- <codedoc code>
-    ~~codedoc:clean:gpg --recv-key  927F419D7EC82C2F149C1BD1403C2657CD994F73~~
-    ~~codedoc:clean:gpg --recv-key  2AE3D40A6905C8E4E8ED95ECE46A2B977C14666B~~
-    ~~codedoc:clean:gpg --recv-key  00AE817C24A10C2540461A9C1D7CDE0234DB458D~~
-</codedoc>
-and then, in a terminal, move to the directory with both the signature and the installer and enter (replacing filename with the installer name):
-<codedoc code>
-    ~~codedoc:clean:gpg --verify filename.asc filename~~
-</codedoc>
-If you see "Good signature" written somewhere, you are good to go. Install and open it.
-{{ ::onionshare_1.png?600 |}}
-You first need to set up the bridge, as the settings of the Tor Browser are independent from those of OnionShare. Click on "Network Connection", then copy paste your bridge address, then save and connect to Tor.
-{{ ::onionshare_2.png?600 |}}
-{{ ::onionshare_3.png?600 |}}
-== Let us first investigate the "Share Files" function==
-{{ ::onionshare_4.png?600 |}}
-as you can see, you can upload whatever, and your computer will host the hidden service. If you let the default value, the people you want to send things to will need both the generated .onion address, and a private key to download. When you are ready, you can hit "start sharing"
-{{ ::onionshare_5.png?600 |}}
-You can send those address and keys to your favourite signal groups. Important note: as you become the hidden service host, if you turn off the OnionShare app, or your computer, the service stops. This is a bit inconvenient but it also unsure that it can easily be destroyed: it will be like it never existed.
-Remember that, as it is a hidden service, you can only access it through a connected Tor Browser. If you activated the private key, anyone going to the address will see the following:
-{{ ::onionshare_6.png?600 |}}
-you can then download the file:
-{{ ::onionshare_7.png?600 |}}
-== Let us check now the "Receive Files" function==
-It will allow people to upload any files to your computer (careful, this is potentially dangerous). First indicate where do you want those file to be saved, along with the same options as previously:
-{{ :onionshare_receive_1.png?600 |}}
-Then start sharing and send the onion address and private key to your friends on secure channels like Signal.
-{{ :onionshare_receive_2.png?600 |}}
-When they use those, they will be prompted by this, where they can send files and/or text:
-{{ :onionshare_receive_3.png?600 |}}
-{{ :onionshare_receive_4.png?600 |}}
-== The Chat functon ==
-You can also start a private Chat and host it as a hidden service:
-{{ ::onionshare_chat_1.png?600 |}}
-{{ ::onionshare_chat_2.png?600 |}}
-{{ ::onionshare_chat_3.png?600 |}}
+  * [[tor_workshop|Tor Workshop]]
+  * [[pgp_workshop|PGP Workshop]]
+  * [[reencrypt_linux_post_install|Reencrypt Linux post install]]
+  * [[git_workshop|Git workshop]]