| QUESTION & ANSWER |
Security researchers develop browser-based darknet |
 |
By Robert Westervelt, News Editor
18 Jun 2009 | SearchSecurity.com |
|
|
Two security researchers plan to demonstrate a new browser-based technique that bypasses traditional ways of setting up a darknet, making it easier for people to create the private networks with a standard HTML 5-based browser. Billy Hoffman, manager for HP Security Labs at HP Software, and Matt Wood, senior security researcher in HP's Web Security Research Group, will present Veiled as a proof-of-concept at the Black Hat Briefings in Las Vegas next month. In this interview, Wood describes Veiled and how it could be used.How would you describe Veiled?
Matt Wood: In the late 1990s and early 2000s the peer-to-peer technologies started coming out to help people exchange ideas without having to worry about who is watching them and essentially help people exchange stuff without fear of repercussion. Our darknet, Veiled, allows us to emulate a lot of the properties of both Freenet and Gnutella just within the Web browser. The browser has become a ubiquitous platform for applications. Look at stuff like Gmail and Facebook -- these are more complicated than some of the applications you have on your desktop. So, what we're really doing is leveraging what the Web browser has become to showcase what it is capable of doing. Some of the new JavaScript functionality – the speed with which JavaScript engines run – allows us to do really fancy encryption and stuff like that. So, we're really just leveraging that in Veiled to build up a lot of the properties that are in some of these other darknets.
Is Veiled a browser add-on or something someone would have to download?
Wood: Veiled logically is just a webpage. You use a PHP file on a website that will connect the client to the rest of the darknet. Imagine a whole bunch of servers having this PHP file on them and then all of those PHP files together create the infrastructure for the darknet and then you have clients which individually connect to each one of those nodes. The PHP files act as a repeater to all of the JavaScript clients out there. The JavaScript is the part doing all of the darknet communications.
How would sessions start and end? If you end a session will it be gone forever?
Wood: A lot of the Freenets, the Tors and Gnutellas you have to actually install software and do a lot of configuration. It's really not easy to join and leave. Because Veiled is kind of browser-based, it's really easy for people to get together and create a darknet. So, as soon as you close your browser you're gone. It's session based. You're only in the darknet as long as you have your Web browser opened. Nothing gets installed on your computer, you are running client-side JavaScript code. Other than some HTTP caching stuff, nothing is really being stored on your computer and there's no real trace that you were involved. One of the great things about using the browser to do this is that it really lowers the barrier for people to get involved in a darknet.
Are there any specific network requirements?
Wood: No. The only thing that is really required for the darknet is to have someone have a PHP file on a Web server somewhere. As soon as you have that, you can build up a darknet just around that one node or you could chain that node to another node if you prefer to use a server you trust.
Can you set login credentials to protect the node?
Wood: It's basically just a normal website. If you want to password protect it, we're going to build in some features into our darknet to discourage people who essentially shouldn't have access to your darknet.
How does it mask an IP address and give a person true anonymity?
Wood: You really can't hide your IP address with the first connection you make, so hopefully you're connecting to somewhere that you trust. As soon as you are connected to that server, the rest of the darknet from that server will never see your IP address. None of the information that identifies you is used within the darknet. Literally there's only one point that actually knows your true IP address. That's in contrast to things like Tor, because in Tor, you still have to connect to the beginning node, but really the anonymity from Tor comes from the fact that you make the request, it goes into the Tor network and then comes out at some exit node that you don't control. Somewhere in the chain you've got to trust somebody.
What kind of interesting applications can you put on top of Veiled?
Wood: There are a lot of uses. Think about a suggestion box. You don't want someone logging who made certain suggestions. Another simple use case is just an anonymous forum that only exists in the darknet. You can communicate between a whole bunch of people inside the darknet and you could make it look like a typical Internet forum.
Doesn't this have the potential to be abused by cybercriminals?
Wood: Whether you are a good guy or a bad guy, it's really important to maintain your privacy. As soon as you put something on the net, it has the potential to be out there forever. Whether people's intentions are good or bad that's not really for us to decide. We really want to put this technology out there and see what people can do with it and let people leverage it and let them make really good applications that work on top of the darknet.
What are the limitations of Veiled?
Wood: Currently to not have any other software installed, there's not necessarily an unlimited amount of storage. There's a limited amount of storage in the browser that we have access to through JavaScript. You can install something like Google Gears and that will give you a lot of disk space to work with. Also, since you are connected to that original node, you can't really leverage a full peer-to-peer network. You don't have infinite bandwidth. You're still limited by the bandwidth of the mode you're connected to.
|
|
|
|
