NixNet
/
NixNet
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

mirror PT post and modify mattermost page

This commit is contained in:
Amolith 2019-02-05 12:08:25 -05:00
parent acef525665
commit 187a8ae2d4
Signed by: Amolith
GPG Key ID: 51FD40936DB0065B
4 changed files with 228 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

118
_posts/2019-02-05-dns-and-root-certificates-what-you-need-to-know.md Normal file
View File

@ -0,0 +1,118 @@
---
layout: post
title: 'DNS and Root Certificates'
subtitle: What You Need To Know
description: Protecting yourself from malicious third parties leveraging DNS and root certificates
cover: /assets/posts/privacy.png
date: 2019-02-05 10:53 -0500
---
<center><h4>This post was mirrored from <a href="https://t.me/PrivacyToday">Privacy Today</a> on Telegram.</h4></center>
<center><h4><a href="https://t.me/PrivacyToday">https://t.me/PrivacyToday</a></h4></center>
<br/>
Due to recent events we felt compelled to write an impromptu article on this matter. It's intended for all audiences so it will be kept simple - technical details may be posted later.
## 1. What Is DNS And Why Does It Concern You?
DNS stands for Domain Name System and you encounter it daily. Whenever your web browser or any other application connects to the internet it will most likely do so using a domain. A domain is simply the address you type: i.e. duckduckgo.com. Your computer needs to know where this leads to and will ask a DNS resolver for help. It will return an IP like [176.34.155.23](http://176.34.155.23); the public network address you need to know to connect. This process is called a DNS lookup.
There are certain implications for both your privacy and your security as well as your liberty:
### Privacy
Since you ask the resolver for an IP for a domain name, it knows exactly which sites you're visiting and, thanks to the "Internet Of Things", often abbreviated as IoT, even which appliances you use at home.
### Security
You're trusting the resolver that the IP it returns is correct. There are certain checks to ensure it is so, under normal circumstances, that is not a common source of issues. These can be undermined though and that's why this article is important. If the IP is not correct, you can be fooled into connecting to malicious 3rd parties - even without ever noticing any difference. In this case, your privacy is in much greater danger because, not only are the sites you visit tracked, but the contents as well. 3rd parties can see exactly what you're looking at, collect personal information you enter (such as password), and a lot more. Your whole identity can be taken over with ease.
### Liberty
Censorship is commonly enforced via DNS. It's not the most effective way to do so but it is extremely widespread. Even in western countries, it's routinely used by corporations and governments. They use the same methods as potential attackers; they will not return the correct IP when you ask. They could act as if the domain doesn't exist or direct you elsewhere entirely.
## 2. Ways DNS lookups can happen
### 2.1 3rd Party DNS Resolvers Hosted By Your ISP
Most people are using 3rd party resolvers hosted by their internet service provider. When you connect your modem, they will automatically be fetched and you might never bother with it at all.
### 2.2 3rd Party DNS Resolver Of Your Choice
If you already knew what DNS means then you might have decided to use another DNS resolver of your choice. This might improve the situation since it makes it harder for your ISP to track you and you can avoid some forms of censorship. Both are still possible though, but the methods required are not as widely used.
### 2.3 Your Own (local) DNS Resolver
You can run your own and avoid some of the possible perils of using others'. If you're interested in more information drop us a line.
## 3. Root Certificates
### 3.1 What Is A Root Certificate?
Whenever you visit a website starting with https, you communicate with it using a certificate it sends. It enables your browser to encrypt the communication and ensures that nobody listening in can snoop. That's why everybody has been told to look out for the https (rather than http) when logging into websites. The certificate itself only verifies that it has been generated for a certain domain. There's more though:
That's where the root certificate comes in. Think of it as the next higher level that makes sure the levels below are correct. It verifies that the certificate sent to you has been authorized by a certificate authority. This authority ensures that the person creating the certificate is actually the real operator.
This is also referred to as the chain of trust. Your operating system includes a set of these root certificates by default so that the chain of trust can be guaranteed.
### 3.2 Abuse
We now know that:
- DNS resolvers send you an IP address when you send a domain name
- Certificates allow encrypting your communication and verify they have been generated for the domain you visit
- Root certificates verify that the certificate is legitimate and has been created by the real site operator
How can it be abused?
- A malicious DNS resolver can send you a wrong IP for the purpose of censorship as said before. They can also send you to a completely different site.
- This site can send you a fake certificate.
- A malicious root certificate can "verify" this fake certificate.
This site will look absolutely fine to you; it has https in the URL and, if you click it, it will say verified. All just like you learned, right? No!
It now receives all the communication you intended to send to the original. This bypasses the checks created to avoid it. You won't receive error messages, your browser won't complain.
All your data is compromised!
## 4. Conclusion
### 4.1 Risks
- Using a malicious DNS resolver can always compromise your privacy but your security will be unharmed as long as you look out for the https.
- Using a malicious DNS resolver and a malicious root certificate, your privacy and security are fully compromised.
### 4.2 Actions To Take
**Do not ever install a 3rd party root certificate!** There are very few exceptions why you would want to do so and none of them are applicable to general end users.
Do not fall for clever marketing that ensures "ad blocking", "military grade security", or something similar. There are methods of using DNS resolvers on their own to enhance your privacy but installing a 3rd party root certificate never makes sense. You are opening yourself up to extreme abuse.
## 5. Seeing It Live
### 5.1 WARNING
A friendly sysadmin provided a live demo so you can see for yourself in realtime. This is real.
**DO NOT ENTER PRIVATE DATA!**
**REMOVE THE CERT AND DNS AFTERWARDS**
If you do not know how to, don't install it in the first place. While we trust our friend you still wouldn't want to have the root certificate of a random and unknown 3rd party installed.
### 5.2 Live Demo
Here is the link: [keweonbet.info.tm](http://keweonbet.info.tm/)
- Set the provided DNS resolver
- Install the provided root certificate
- Visit [paypal.com](https://paypal.com
) and enter random login data
- Your data will show up on the website
## 6. Further Information
If you are interested in more technical details, let us know. If there is enough interest, we might write a more in-depth article but, for now, the important part is sharing the basics so you can make an informed decision and not fall for marketing and straight up fraud. Feel free to suggest other topics that are important to you.
<br/>
<br/>
<center><p>For more information/feedback/corrections, join <a href="https://t.me/PrivacyToday">Privacy Today</a> on Telegram</p></center>
<center><p>This post is licensed under <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> and was mirrored with permission.</p></center>

BIN
assets/posts/privacy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

108
assets/svgs/privacy.svg Normal file
View File

@ -0,0 +1,108 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="1000"
height="1000"
viewBox="0 0 264.58333 264.58334"
version="1.1"
id="svg8"
inkscape:version="0.92.4 5da689c313, 2019-01-14"
sodipodi:docname="privacy.svg"
inkscape:export-filename="/home/amolith/repos/nixnet/assets/posts/privacy.png"
inkscape:export-xdpi="96"
inkscape:export-ydpi="96">
<defs
id="defs2">
<symbol
id="shield-alt">
<title
id="shield-alt-title">Alternate Shield</title>
<path
style="stroke-width:0.26458332"
inkscape:connector-curvature="0"
d="m 131.23333,33.866667 c 0,58.547529 -35.965868,91.187323 -58.615524,100.623153 a 12.7,12.7 0 0 1 -9.76921,0 C 34.526802,122.69073 4.2333333,86.383019 4.2333333,33.866667 A 12.7,12.7 0 0 1 12.04886,22.143508 l 50.8,-21.16666633 a 12.7,12.7 0 0 1 9.769211,0 L 123.41807,22.143508 a 12.7,12.7 0 0 1 7.81526,11.723159 z m -63.499997,84.220313 0.01746,0.009 C 92.551515,105.74285 113.39063,76.739485 114.26904,36.676012 L 67.733333,17.286023 Z"
id="path26851" />
</symbol>
<symbol
id="user-secret">
<title
id="user-secret-title">User Secret</title>
<path
style="stroke-width:0.26458332"
inkscape:connector-curvature="0"
d="m 102.87767,78.137808 5.54884,-14.565841 c 0.79164,-2.078038 -0.74321,-4.3053 -2.96703,-4.3053 H 90.061521 c 1.971146,-4.295775 3.071812,-9.074415 3.071812,-14.111023 0,-0.960702 -0.04233,-1.91135 -0.12065,-2.851679 10.461357,-2.067719 17.053987,-5.081323 17.053987,-8.437298 0,-3.509169 -7.20487,-6.644217 -18.506814,-8.714582 C 89.129658,16.472429 84.36901,7.7432958 80.78761,3.2313563 78.286769,0.08069792 73.942046,-0.90513958 70.344242,0.89402708 L 63.053119,4.5397208 a 8.4658729,8.4658729 0 0 1 -7.572904,0 L 48.189092,0.8937625 C 44.591023,-0.90513958 40.2463,0.08043333 37.745723,3.2310917 34.164323,7.7430313 29.403675,16.472165 26.973477,25.151821 15.671535,27.22245 8.4666667,30.357498 8.4666667,33.866667 c 0,3.355975 6.5926233,6.369579 17.0539833,8.437298 A 34.227029,34.227029 0 0 0 25.4,45.155644 c 0,5.036873 1.100402,9.815512 3.071283,14.111023 H 13.281554 c -2.279385,0 -3.8160852,2.330714 -2.918089,4.425685 L 16.42401,77.833537 C 6.8259854,81.460446 0,90.73224 0,101.6 v 27.51667 c 0,3.50705 2.8429479,6.35 6.35,6.35 h 105.83333 c 3.50706,0 6.35,-2.84295 6.35,-6.35 V 101.6 c 0,-10.575396 -6.46377,-19.640285 -15.65566,-23.462192 z m -54.194337,50.978862 -12.7,-50.800003 12.7,6.35 6.35,10.583333 z m 21.166667,0 L 63.5,95.25 l 6.35,-10.583333 12.7,-6.35 z M 84.343346,48.750537 c -0.0021,0.01138 -1.137444,0.854869 -1.35599,1.526911 -1.021556,3.139017 -1.858962,6.501342 -4.369329,8.826235 -2.664619,2.467769 -12.688623,5.92799 -16.932275,-6.622256 -0.750623,-2.221177 -4.087019,-2.221971 -4.837906,0 -4.488127,13.273617 -14.821694,8.576998 -16.932275,6.622256 -2.510367,-2.324629 -3.347773,-5.687218 -4.369329,-8.826235 -0.218546,-0.672042 -1.354138,-1.515533 -1.35599,-1.526911 -0.146579,-0.773906 -0.259556,-1.556808 -0.322792,-2.341562 -0.08176,-1.018117 2.666471,-0.967846 2.931055,-0.991394 6.959335,-0.615421 13.838502,-0.153194 20.643585,1.454415 0.678127,0.160337 3.056731,0.139964 3.649398,0 6.805083,-1.607608 13.68425,-2.0701 20.643585,-1.454415 0.265113,0.02355 3.012811,-0.02699 2.931054,0.991394 -0.06324,0.784754 -0.176212,1.567656 -0.322791,2.341562 z"
id="path23532" />
</symbol>
</defs>
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.35"
inkscape:cx="265.71429"
inkscape:cy="460"
inkscape:document-units="mm"
inkscape:current-layer="layer1"
showgrid="false"
units="px"
inkscape:snap-bbox="true"
inkscape:bbox-paths="true"
inkscape:bbox-nodes="true"
inkscape:snap-bbox-edge-midpoints="true"
inkscape:snap-bbox-midpoints="true"
inkscape:object-paths="true"
inkscape:snap-intersection-paths="true"
inkscape:snap-smooth-nodes="true"
inkscape:snap-midpoints="true"
inkscape:window-width="1336"
inkscape:window-height="698"
inkscape:window-x="15"
inkscape:window-y="35"
inkscape:window-maximized="0" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1"
transform="translate(0,-32.41665)">
<rect
style="opacity:1;fill:#323232;fill-opacity:1;stroke:none;stroke-width:4.23333311;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
id="rect99612"
width="264.58334"
height="264.58334"
x="-5.0862632e-06"
y="32.416645" />
<use
id="use98590"
transform="translate(73.025002,96.974961)"
style="fill:#ffffff;stroke:none"
xlink:href="#user-secret"
x="0"
y="0"
width="100%"
height="100%" />
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 5.6 KiB

2
mattermost.md
View File

@ -11,6 +11,8 @@ Sign up by clicking a community link
- [NixNet](https://matter.nixnet.xyz/signup_user_complete/?id=n5qbfgiuaidmtmppetgj45zxuh) - General chat, randomness, shiptosting, getting support, etc.
- [Linux Audio](https://matter.nixnet.xyz/signup_user_complete/?id=5ob84if1w3bx3n5phhsbjm3ohh) - Open to anyone with an interest in audio recording, production, etc. on Linux
- [LenoirLUG](https://matter.nixnet.xyz/signup_user_complete/?id=rrko34wdzjfo5ykc49d1kkikeo) - A chat room for the Lenoir Linux User Group
# Mobile client config
To use the mobile application, first sign up on a community with your browser (desktop or mobile) then enter `https://matter.nixnet.xyz` as the server URL! Desktop themes can be synced to mobile if you want to use the theme I created below.
# Theme
---