Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Setting-up a .Onion address for your Website, v1.5

1.063 Aufrufe

Veröffentlicht am

Overview of means & methods of adding an Onion address to your website. Date: 4 December 2017

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Setting-up a .Onion address for your Website, v1.5

  1. 1. setting up a .onion address …for your website v1.5 - @alecmuffett 2017
  2. 2. why .onion? • you have an audience, or you have a community • for some, ability to access content is hampered • for some, risk of fake websites, credential theft,
 or political repercussions for accessing content • for some, privacy, assurance & trust is paramount
  3. 3. how does onion help? • greater assurance • facebookcorewwwi.onion => genuine facebook • greater availability • .onion => hard to block, hard to monitor • fewer digital footprints • people using onions are perforce using tor browser • tor browser is generally better at data "hygiene"
  4. 4. mobile ux? yes! • mac / win / linux • tor browser (integrated) • android • orbot (tor) + orfox (browser) • ios • onion browser • other ios in progress
  5. 5. so: what is .onion? top level domain name for the "onion" namespace
  6. 6. what is a namespace? • namespace is "an address & what it means/looks like" • ipv4 addresses look like: 192.168.1.1 • ipv6 addresses look like: fe80::226:21ff:fed8:fbc2 • dns addresses look like: www.foo.com • onion addresses look like: ylzpg2givhwizoep.onion
  7. 7. how do addresses work? • all these addresses can be typed into a web browser: • http://192.168.1.1/- ipv4, supported everywhere • http://[fe80::226:21ff:fed8:fbc2]/ - ipv6, variable • http://www.foo.com/ - dns, supported everywhere • http://ylzpu2givhwizoep.onion/ - needs tor browser • …they all connect you to a remote computer
  8. 8. how is .onion unusual? • "under the bonnet", an onion is a raw network address • …just like 192.168.1.1 or fe80::226:21ff:fed8:fbc2 • but: it is formatted like a traditional dns domain name • ".onion" looks like ".com" or ".co.uk" • this means browsers treat the addresses equitably • including subdomains: www.facebookcorewwwi.onion
  9. 9. wait, subdomains on
 a network address? • yes! this would never work with ipv4 … • www.192.168.1.1 would not mean anything sensible • but www.facebookcorewwwi.onion is meaningful to HTTP • …still means facebookcorewwwi.onion • …the "www…" bit is transported in the Host: header • thus: standard HTTP/HTML/browser behaviour
  10. 10. how do you
 choose addresses? • ipv4 addresses: you take what you are given (mostly) • ipv6 addresses: ditto • dns addresses: you choose a name, & register it • …unless someone beats you to it… • onion addresses: you "mine" one, a little like bitcoin • more mining => "better quality" address
  11. 11. how to serve .onion? several options: 1. set up a dedicated website with duplicate content • e.g.: various dedicated onion sites 2. make your CMS aware of ".onion" domain/traffic • e.g.: facebook 3. install an onion shim • e.g.: propublica, new york times
  12. 12. 1. dedicated server • hypothetical: you have a separate web server, and it… • is configured to know about its onion address • serves duplicate content where necessary • essentially runs as a standalone service
  13. 13. 2. onion-aware CMS • hypothetical: you have a web server, and it… • serves content to .com, .co.uk, .za, .in, … • distinct content for each domain / different URLs • why not just add yet another domain name? • tag all requests arriving from your .onion • ensure that such tagged requests are properly responded-to, citing your onion address(es)
  14. 14. 3. onion shim • hypothetical: you have a web server, and it… • primarily serves content as (say) nytimes.com • install a shim between it and tor • which bidirectionally rewrites requests & responses • nytimes.com <=> nytimes3xbfgragh.onion • via custom engineering, or Enterprise Onion Toolkit
 (free, libre, open-source toolkit for enterprise onions)
  15. 15. summary
 (or: blend these together...) 1. dedicated onion site • rare, use-case dependent 2. onion-aware CMS • excellent for primarily-dynamically-generated content • modest engineering, ongoing commitment, can be 100% solution 3. onion shim • onionifies all content, including static or static/dynamic mix • minimal/zero engineering, some edge cases, 95..99%+ solution
  16. 16. notes • don't forget to onionify your CDN where possible • try to avoid content-leakage between domains • accidentally wandering-off to the .com site • e.g. OAuth redirects • use horizontal load-balancing for backend scale • free solution (onionbalance) exists • onions (even via rewriting) are astonishingly efficient
  17. 17. finally • you will almost certainly need to buy a special HTTPS cert • cost: probably from mid $$$ to low $$$$ • plus associated paperwork & faff • if you take payments / subscriptions? • you may want to restrict access to payments over tor? • chiefly because payment providers sometimes block tor, and this can lead to poor user experiences…
  18. 18. summary • this is an evolving environment! • provide additional access, security & safety opportunities for your audiences & communities! • cutting-edge experimental fun!

×