Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
@privlyLeadDeveloper:SeanMcGregor@seanmcgregorCommunityManager:JenniferDavidson@jewifer
The Open Privacy Stack: Privly
Outline
1. Howthewebisbrokenforsecurity2. "InjectableApplicaJons"asasoluJon3. HowPrivlyimplementsinjectableapplicaJons4. MoreoninjectableapplicaJons5. ThePrivlyFoundaJonandthewayforward
OSCON 2013 �
priv.ly/pages/download� 2
HowSecurityontheWebisBroken• PRISM:Onlineserviceproviderscannotprotectusersfromthegovernmentsunderwhichtheyoperate
• Hushmail:Onlineservicescannotprotectusersfromthemselves
• Facebook“Like”Bu9on:SecurityandfuncJonalityaredifficulttocombine
OSCON 2013 �
priv.ly/pages/download� 3
TextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBe
SoluJon:StopReinvenJngSecurity
OSCON 2013 �
priv.ly/pages/download� 4
• Yoursiteisunique,butyourdataisnot!• WrapcontentinitsownapplicaJonviewedinsideyourwebapplicaJon
TheApplicaJon!==TheData
5
TextisText,WhereveritMayBe
OSCON 2013 �
priv.ly/pages/download�
6
ThatWasPrivlyatWork
OSCON 2013 �
priv.ly/pages/download�
1. BrowserExtensiondiscoversspeciallyforma]edlink
2. “Injects”thelink
7
ThisisaCompleteWebApplicaJon
TextisText,WhereveritMayBe
ThisisaCompleteWebApplicaJon
OSCON 2013 �
priv.ly/pages/download�
8
ThePrivlyURL
privlyalpha.org/apps/PlainPost?privlyApp=PlainPost&privlyDataURL=privlyalpha.org/posts/1.json
OSCON 2013 �
priv.ly/pages/download�
1Thehostedapppath
2App
specifier
3Data
address
privlyApp=ZeroBinprivlyApp=PGP
9
ExtendedBrowser
Server
HostPage
h]ps://Privlyalpha/apps/PlainPost?privlyApp=PlainPost&privlyDataURL=h]ps://privlyalpha.org/posts/2342536674.json
OSCON 2013 �
priv.ly/pages/download�
ThisisademonstraJonofPrivly’scapabiliJes.Thehostpage,Twi]er,doesnothaveaccesstotheTweet’scontents.ItisalsonotlimitedbythelengthimposedbyTwi]er.
10
NoExtension
ExtensionJenDavidson
JenDavidson
OSCON 2013 �
priv.ly/pages/download�
@jewifer
ThisisademonstraJonofPrivly’scapabiliJes.Thehostpage,Twi]er,doesnothaveaccesstotheTweet’scontents.ItisalsonotlimitedbythelengthimposedbyTwi]er.
privlyalpha.org/apps/PlainPost…
@jewifer
OSCON 2013 �
priv.ly/pages/download� 11
JavascriptCryptographyPotenFallyNotHarmfulPrivly
Pre-DistributetheApps
?privlyApp=PlainPost&
2App
specifier
WhatiftheUserDoesn’tHavetheApp?• OpJonalhostedfallback– PosJnguserscanchooseanappwherehostedfallbackispossible
– Youdonotprotectusersfromthehost
– Bestcase,youhostityourself
– ZeroBinAppisacompromiseOSCON 2013 �
priv.ly/pages/download� 12
privlyalpha.org/apps/ZeroBin
1Thehostedapppath
MoreAboutthese“InjectableApps”
• Current– PlainPost:MostuniversalapplicaJon– ZeroBin:Encryptedbytheanchortext
• InDevelopment– PGP:StrongPublicKeyCrypto– IndieData:PersonalSemanJcDatastore
• Planned– OTR:EncryptedchatapplicaJon– variousotherspecificusecases
OSCON 2013 �
priv.ly/pages/download� 13
CoolPotenJalFuncJonality• HostpageAPI• Hooksintodistributedhashtable• SeamlessintegraJonwithsocialnetworksforsharinglists
OSCON 2013 �
priv.ly/pages/download� 14
Client-SideMessageInterface
AreWebsitestheAdversary?
• OnlyfromasecurityperspecJve– Havetoaccountforworstcasescenarios
• PrivlyincreasesJme-on-site– Increasedaddrevenues– Time-on-siteismorevaluablethanbeingabletotargetadverJsingtoprivatemessagecontents
OSCON 2013 �
priv.ly/pages/download� 15
PrivlyDevelopmentStatus
16
Soph
isJcaJo
n
• GoogleChromeExtensionisthemostadvanced• UsetheChromeExtensiontodevelopInjectableApps• GoogleSummerofCodestudentsaredevelopingiOSandAndroidversion
16
ContentServers
OSCON 2013 �
priv.ly/pages/download� 17
Soph
isJcaJo
n• Datadriven• AdverJsesextensions• Privly-applicaJonsrunsfromstaJcfolder
What’sNext
• Securityishard,innovaJonisdangerous• Putwarningsoneverythingandrelease/iterate
OSCON 2013 �
priv.ly/pages/download� 18
MakinganInjectableApplicaJon
• StartwiththeChromeextension:github.com/privly/privly-chrome• EasiestwaytostartisbyediJngthePlainPostapplicaJon
OSCON 2013 �
priv.ly/pages/download� 19
Resources
• Info/Download:priv.ly• Communicate:privly.org• Code:h]ps://github.com/privly• LatestContentServer:h]ps://privlyalpha.org• Slides:github.com/privly/privly-organizaJon/tree/master/presentaJons/2013-07-25-OSCON/OSCON.ppt
OSCON 2013 �20
GetConnected
#privlyonirc.freenode.netJoinourmailinglist,h]p://bit.ly/privly-group
OSCON 2013 �
priv.ly/pages/download� 21
Techno-AcJvism3rdMondays
• AugustEvent:h]p://ta3m-pdx-3.eventbrite.com
• TA3MWiki:h]p://wiki.openitp.org/events:techno-acJvism_3rd_mondays
OSCON 2013 �
priv.ly/pages/download� 22
Free(AsinBeer)
• ThehandoutsatthefronthavedirecJonsforgetngcredenJalsononprivlyalpha.org
23
OSCON 2013 �
priv.ly/pages/download�
Wait…what?
• Privlyallowsyoutopost“private”contentanywhereontheweb
• PrivlyallowsyoutoofferyourusersprotecJonfromyourservers(becausewhatiftheygetcompromised?Onooo!)
• Privlyisaflexibleframework–youcanaddallkindsofapplicaJons
OSBridge 2012 �
priv.ly/pages/download� 24
Legal
• AlllogosarepropertyoftheirrespecJveowners
• GraphicsinthispresentaJonareusedunderaCreaJveCommonsLicense
• ThispresentaJonislicensedunderA]ribuJon-ShareAlike3.0Unported(CCBY-SA3.0)(h]p://creaJvecommons.org/licenses/by-sa/3.0/)
25
OSCON 2013 �
priv.ly/pages/download�
QuesJons?
Thanks to O’Reilly Media! h]ps://priv.lyh]ps://groups.google.com/group/privly@privlySean:@seanmcgregorJen:@jewifer
26
OSCON 2013 �
priv.ly/pages/download�