Usually, this is how you interact with someone: each time you make a request to the internet (a Google search, sending a mail, sending a Signal message, going to Facebook, everything), you do not talk directly to the person you want to talk to (in case you want to share something with someone). There is always a middle man, called a server:

Every information that passes through the server can be seen by the server, which is administrated by some entity, which will at least cooperate with the police or other government agencies if needed.

This is something that can be prevented by using End to End encrypted services. With such services, you encrypt your message on your own laptop, then send it to the server that will only pass it to someone, who will decrypt it on their own computer: the server only has access to encrypted data.

There is a separate workshop focusing on tools that are End to End encrypted.

In transit encryption means that you encrypt your data on your computer, send it to the server that will decrypt it. Therefore it protects only against eavedropping, which means looking at the messages that flow in the optical fibers and networks.

Nowadays, this type of encryption is done by the https protocol (each time you use an address that starts with “https”, it means that your communication with the server is encrypted in transit. This is relatively standard nowadays, and most browser will throw big warnings if you try to access a website with only a http address. This protocol uses certificates provided by a Trusted third party called a Certification Authority to ensure that you are talking to a genuine server. This is something you will see a lot in security protocol: we typically both want to encrypt and prove the authenticity of the entity you are talking to.

You can see that you are protected usually with a small “lock” icon next to the address for example on Firefox:

You can see that the certificate for the website duckduckgo.com has been delivered by Digicert and that the encryption protocol is based on TLS, which stands for Transport Layer Security.

None of the two previous type of encryption will save you if your own personal computer gets stolen or taken by the police. This is why it is recommended to implement full disk encryption, which consists in encrypting your whole hard drive in a way that if you turn it off, no one, not even the FBI would be able to read the data on it without your password. If it is taken while “On”, there are still ways to extract the data but they are quite involved. If it is not encrypted, it is extremely easy to access everything, even without your OS password (like your windows, mac or linux login).

There is a dedicated workshop for this.

None of those 3 previous types of encryption will prevent institutions to know who is talking with who, even if they do not know what they are sending to each other. Anonymity is something much harder to set up than the previous simple encryption protocols I just mentioned.

You probably heard before of VPNs. This is how they work:

It is a special server, which redirects every request you make to any server. Then, the destination server thinks it is talking to the VPN server. This can be useful to bypass regional bans on certain websites or services, and is used to remotely access a restricted network, like the one of your workplace. However, we should fight a popular believe that it provides anonymity: this is completely wrong !

VPN services know who is talking to who, and they will collaborate with the police. It is even worse: VPNs are not even end to end encrypted, so on top of knowing who is talking to who, they know what people are sending to each other. In general, try to not use VPNs if possible.

The TOR network is an Open source project that aims at ensuring anonymity in a decentralized way. It consists of a lot of servers all over the world, called nodes, usually ran by volunteers (you should consider contributing by running your own, or donate to a Tor relay association !). Here is how it works:

When you want to connect to a server through TOR, your computer will select three nodes: an entry node (sometimes called a guard node), a middle node and an exit node. It will then generate three symmetric encryption keys: K1, K2, and K3. It will distribute those keys securely (using asymmetric cryptography protocols) to the three nodes (the entry node has K1, the middle node has K2, the exit node has K3).

You can see that it is not accurate to say that Tor “encrypts” your traffic, as after the exit node your traffic is unencrypted. You need to still use HTTPS to add the last layer of encryption.

However, it makes it very hard to find out who is talking to who. The server thinks it is talking to the exit node, the middle node knows only that it is talking to the entry node (it does not even know for sure that it is not an entry node itself !) and the exit node (which it does not know for sure that it is not just a middle node). Same for the entry node, who doesn't know for sure that your computer is not an entry node as well. Both the entry and middle nodes see only encrypted data.

The exit node, however, sees clear data. It means that running an exit node is considered a high legal risk, if you do that at home you can be sure that you will have the police knocking at your door for antiterrorist investigation or something like this. Instead, you should donate to a tor relay association who will deploy those in datacenters. Also, the exit node is a bit of a weak point of the network, and there is actually some possibility of reducing the anonymity by spying at the beginning (before the entry node) and at the end (after the exit node) to see when data is transmitted and correlate it back to you.

The Electronic Frontier Foundation (https://tor-https.eff.org/) did a nice graphic to explain what data people can get from you if you are using nothing/HTTPS and/or Tor:

without anything, all data are accessible to everyone

HTTPS alone will do in transit encryption. You will then hide the data to actors who do only eavesdropping along the way. You will not be anonymous.

With Tor without HTTPS, you will be mostly anonymous, except if you log in to a server with your credentials. Also, you will communicate without encryption between the exit node and the destination server.

With both Tor and HTTPS, you will be both anonymous and encrypted in transit.

As you can see, the Tor network alone usually does not hide the fact that you are using Tor. There are ways to hide it though, using what is called a “bridge”, which is a secret node (not listed publicly like the other members of the TOR network) that will be used instead of your entry node. It uses some technique to hide the fact that you are using Tor.

You need to download it, it is available on most Linux distribution, MacOS, Windows and even Android: https://www.torproject.org/download/

It is a good practice to verify the integrity (no one modified this program) and authenticity (it has been made by the actual developers of the Tor project) by checking the signature of softwares you download. This is done using PGP (there is a separate workshop about it). You should follow those steps:

1) Install GPG.

• For most Linux distribution (at least debian based such as Ubuntu, Debian or Linux Mint for example), enter in a terminal:

 
   sudo apt install gnupg

• For Windows, download https://www.gpg4win.org
• For Mac, first install homebrew if you did not do it before, entering in a terminal:

    /bin/bash -c “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)”

and then install gnupg with the command:

    brew install gnupg

2) Import the public key of the Tor Browser developers, whose unique fingerprint is 0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290 (you can usually find this fingerprint on the website you download the software, in this case here), with the command:

    gpg --recv-key  0xEF6E286DDA85EA2A4BA7DE684E2C6E8793298290

3) Then you download both the software (here the Tor Browser installer), the signature (by clicking on signature next to it), put the in the same directory, open a terminal, go to this directory and enter:

    gpg --verify filename.asc filename

where filename is the filename of the installer. The result should be a paragraph with somewhere the mention “Good Signature”. You can then execute the software and install the browser.

After the install, you need to configure it, by adding a bridge, which is a good practice.

1) Go there and click on “Get Bridges”. 2) Copy the first line for example of the result 3)Open the Tor Browser and go to Settings 4) Then Connection 5) Then “Enter bridge addresses I know personally” You can then paste the bridge value you copied before, click next and try to connect. If it does not work, try with another bridge until it does (go back to 1))

You can now check your tor circuit, by clicking on the little path appearing next to the address bar in the Tor Browser. It should look like this, indicating that your entry node has been replaced by the bridge:

You can now browse with a good anonymity, the browser is based on Firefox. You will notice that the traffic is very low, due to how complex the routing is. Also, you will see that you will be kicked out of many website who do not like when people use Tor.

Anyway, congratulation, the workshop is done ! OR IS IT?

You will notice some things a bit weird sometimes, like this on certain websites:

What happens if you click on them?

What just happened? The address ends now in a .onion and is mostly random? Yes. This is your (maybe first?) entry into the Dark Web, as sometimes called by journalists, or Tor “Hidden Services”. Those services do not appear on a google search for example, they can only be accessed with a connected Tor Browser, and it is extremely difficult, even for government agencies, to find out where the servers are located (although sometimes they manage to do it). Here is how this works:

For a normal services accessed through Tor, the end server is outside the Tor network:

This communication is done in a cleaver way so that no one knows about each other. Note that since the traffic never leave the Tor Network, you do not need HTTPS, and many Onion addresses are actually HTTP. Actually even though some services use HTTPS, it is a bit controversial to do so, as you then use a Certificate Authority to do it, which will identify where your servers are.

When possible, try to use those services. Examples of website that comprises an onion version are Protonmail, duckduckgo, Tor, Facebook (!) and many others.

Let me present one hidden service that can be super useful: OnionShare. It is actually a software that creates temporary hidden services for specific purposes: sending files, receiving files, chatting or hosting a website. Note that using this method, you will both be End to End encrypted and anonymous, something that not even Signal can do for you.

Go to the website (there is an onion version as well, now that you know how to do it: http://lldan5gahapx5k7iafb3s4ikijc4ni7gx5iywdflkba5y2ezyg6sjgyd.onion/

Download the installer, and as before download also the signature, then import the three following public keys entering those commands in a terminal:

    gpg --recv-key  927F419D7EC82C2F149C1BD1403C2657CD994F73
    gpg --recv-key  2AE3D40A6905C8E4E8ED95ECE46A2B977C14666B
    gpg --recv-key  00AE817C24A10C2540461A9C1D7CDE0234DB458D

and then, in a terminal, move to the directory with both the signature and the installer and enter (replacing filename with the installer name):

    gpg --verify filename.asc filename

If you see “Good signature” written somewhere, you are good to go. Install and open it.

You first need to set up the bridge, as the settings of the Tor Browser are independent from those of OnionShare. Click on “Network Connection”, then copy paste your bridge address, then save and connect to Tor.

as you can see, you can upload whatever, and your computer will host the hidden service. If you let the default value, the people you want to send things to will need both the generated .onion address, and a private key to download. When you are ready, you can hit “start sharing”

You can send those address and keys to your favourite signal groups. Important note: as you become the hidden service host, if you turn off the OnionShare app, or your computer, the service stops. This is a bit inconvenient but it also unsure that it can easily be destroyed: it will be like it never existed.

Remember that, as it is a hidden service, you can only access it through a connected Tor Browser. If you activated the private key, anyone going to the address will see the following:

you can then download the file:

It will allow people to upload any files to your computer (careful, this is potentially dangerous). First indicate where do you want those file to be saved, along with the same options as previously:

Then start sharing and send the onion address and private key to your friends on secure channels like Signal.

When they use those, they will be prompted by this, where they can send files and/or text:

You can also start a private Chat and host it as a hidden service:

Note that just like Signal and other End to End encrypted chats, you cannot see the messages that were sent before you join.

Finally, you can even host a website as a hidden service. It has to be a static website (you will put the website files as index.html, some CSS and Javascript code manually). This is quite interesting, you could have a raspberry pi hosting it as it can be very lightweight, it can be at your home or anywhere.

Tails is an Operating System (just like Windows, MacOS or Linux distributions). Its name stands for “The Amnesic Incognito Live System”. It:

• is based on Linux (Debian to be more precise),
• lives on a USB key,
• forces to use Tor for every internet connection (using only the Tor Browser like before, you will still make many connections between your computer and the normal internet for whatever you do outside of the browser, it is hard to keep track)
• Wipes its memory once you turn it off (except if you specify not too, and then it is full disk encrypted)

To install it, we need:

• a USB key, it should be 8GB minimum, and dedicated only to Tails
• a strong password ready to use (see previous workshops for this using the Diceware method)

Thats's it ! Let us follow the instructions for your OS here. Basically those instructions are:

1. Download the installer
2. Verify it, like we did before. Here they have a simple tool to do that in a user friendly way, but now that you are experts, you should do it with the command line. You can download the signing key and the signature here. Since you do not have the fingerprint but a key file, to import the signing key you need to enter, in a command line in the correct folder where the key file is:

    gpg --import tails-signing.key

1. Install it on the USB key (here the software used to do it depends on the platform, however, I recommend to use Balena Etcher, which works on all platforms and can be used to make live installations of various operating systems)
2. Keep your USB key plugged in an restart your computer.
3. Before your OS boot, you will have to enter the BIOS menu (typing quickly F1, F9, F12 or DEL at startup depending on your computer) to select the USB key as the boot medium
4. That's it, Tails is booting !