@privlyLeadDeveloper:SeanMcGregor@seanmcgregorCommunityManager:JenniferDavidson@jewifer

The Open Privacy Stack: Privly

Outline

1. Howthewebisbrokenforsecurity2. "InjectableApplicaJons"asasoluJon3. HowPrivlyimplementsinjectableapplicaJons4. MoreoninjectableapplicaJons5. ThePrivlyFoundaJonandthewayforward

OSCON 2013 �

priv.ly/pages/download� 2

HowSecurityontheWebisBroken•  PRISM:Onlineserviceproviderscannotprotectusersfromthegovernmentsunderwhichtheyoperate

•  Hushmail:Onlineservicescannotprotectusersfromthemselves

•  Facebook“Like”Bu9on:SecurityandfuncJonalityaredifficulttocombine

OSCON 2013 �

priv.ly/pages/download� 3

TextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBeTextisText,WhereveritMayBe

SoluJon:StopReinvenJngSecurity

OSCON 2013 �

priv.ly/pages/download� 4

• Yoursiteisunique,butyourdataisnot!• WrapcontentinitsownapplicaJonviewedinsideyourwebapplicaJon

TheApplicaJon!==TheData

5

TextisText,WhereveritMayBe

OSCON 2013 �

priv.ly/pages/download�

6

ThatWasPrivlyatWork

OSCON 2013 �

priv.ly/pages/download�

1.  BrowserExtensiondiscoversspeciallyforma]edlink

2.  “Injects”thelink

7

ThisisaCompleteWebApplicaJon

TextisText,WhereveritMayBe

ThisisaCompleteWebApplicaJon

OSCON 2013 �

priv.ly/pages/download�

8

ThePrivlyURL

privlyalpha.org/apps/PlainPost?privlyApp=PlainPost&privlyDataURL=privlyalpha.org/posts/1.json

OSCON 2013 �

priv.ly/pages/download�

1Thehostedapppath

2App

specifier

3Data

address

privlyApp=ZeroBinprivlyApp=PGP

9

ExtendedBrowser

Server

HostPage

h]ps://Privlyalpha/apps/PlainPost?privlyApp=PlainPost&privlyDataURL=h]ps://privlyalpha.org/posts/2342536674.json

OSCON 2013 �

priv.ly/pages/download�

ThisisademonstraJonofPrivly’scapabiliJes.Thehostpage,Twi]er,doesnothaveaccesstotheTweet’scontents.ItisalsonotlimitedbythelengthimposedbyTwi]er.

10

NoExtension

ExtensionJenDavidson

JenDavidson

OSCON 2013 �

priv.ly/pages/download�

@jewifer

ThisisademonstraJonofPrivly’scapabiliJes.Thehostpage,Twi]er,doesnothaveaccesstotheTweet’scontents.ItisalsonotlimitedbythelengthimposedbyTwi]er.

privlyalpha.org/apps/PlainPost…

@jewifer

OSCON 2013 �

priv.ly/pages/download� 11

JavascriptCryptographyPotenFallyNotHarmfulPrivly

Pre-DistributetheApps

?privlyApp=PlainPost&

2App

specifier

WhatiftheUserDoesn’tHavetheApp?•  OpJonalhostedfallback– PosJnguserscanchooseanappwherehostedfallbackispossible

– Youdonotprotectusersfromthehost

– Bestcase,youhostityourself

– ZeroBinAppisacompromiseOSCON 2013 �

priv.ly/pages/download� 12

privlyalpha.org/apps/ZeroBin

1Thehostedapppath

MoreAboutthese“InjectableApps”

•  Current– PlainPost:MostuniversalapplicaJon– ZeroBin:Encryptedbytheanchortext

•  InDevelopment– PGP:StrongPublicKeyCrypto–  IndieData:PersonalSemanJcDatastore

•  Planned– OTR:EncryptedchatapplicaJon– variousotherspecificusecases

OSCON 2013 �

priv.ly/pages/download� 13

CoolPotenJalFuncJonality•  HostpageAPI•  Hooksintodistributedhashtable•  SeamlessintegraJonwithsocialnetworksforsharinglists

OSCON 2013 �

priv.ly/pages/download� 14

Client-SideMessageInterface

AreWebsitestheAdversary?

•  OnlyfromasecurityperspecJve– Havetoaccountforworstcasescenarios

•  PrivlyincreasesJme-on-site–  Increasedaddrevenues– Time-on-siteismorevaluablethanbeingabletotargetadverJsingtoprivatemessagecontents

OSCON 2013 �

priv.ly/pages/download� 15

PrivlyDevelopmentStatus

16

Soph

isJcaJo

n

•  GoogleChromeExtensionisthemostadvanced•  UsetheChromeExtensiontodevelopInjectableApps•  GoogleSummerofCodestudentsaredevelopingiOSandAndroidversion

16

ContentServers

OSCON 2013 �

priv.ly/pages/download� 17

Soph

isJcaJo

n•  Datadriven•  AdverJsesextensions•  Privly-applicaJonsrunsfromstaJcfolder

What’sNext

•  Securityishard,innovaJonisdangerous•  Putwarningsoneverythingandrelease/iterate

OSCON 2013 �

priv.ly/pages/download� 18

MakinganInjectableApplicaJon

•  StartwiththeChromeextension:github.com/privly/privly-chrome•  EasiestwaytostartisbyediJngthePlainPostapplicaJon

OSCON 2013 �

priv.ly/pages/download� 19

Resources

•  Info/Download:priv.ly•  Communicate:privly.org•  Code:h]ps://github.com/privly•  LatestContentServer:h]ps://privlyalpha.org•  Slides:github.com/privly/privly-organizaJon/tree/master/presentaJons/2013-07-25-OSCON/OSCON.ppt

OSCON 2013 �20

GetConnected

#privlyonirc.freenode.netJoinourmailinglist,h]p://bit.ly/privly-group

OSCON 2013 �

priv.ly/pages/download� 21

Techno-AcJvism3rdMondays

•  AugustEvent:h]p://ta3m-pdx-3.eventbrite.com

•  TA3MWiki:h]p://wiki.openitp.org/events:techno-acJvism_3rd_mondays

OSCON 2013 �

priv.ly/pages/download� 22

Free(AsinBeer)

•  ThehandoutsatthefronthavedirecJonsforgetngcredenJalsononprivlyalpha.org

23

OSCON 2013 �

priv.ly/pages/download�

Wait…what?

•  Privlyallowsyoutopost“private”contentanywhereontheweb

•  PrivlyallowsyoutoofferyourusersprotecJonfromyourservers(becausewhatiftheygetcompromised?Onooo!)

•  Privlyisaflexibleframework–youcanaddallkindsofapplicaJons

OSBridge 2012 �

priv.ly/pages/download� 24

Legal

•  AlllogosarepropertyoftheirrespecJveowners

•  GraphicsinthispresentaJonareusedunderaCreaJveCommonsLicense

•  ThispresentaJonislicensedunderA]ribuJon-ShareAlike3.0Unported(CCBY-SA3.0)(h]p://creaJvecommons.org/licenses/by-sa/3.0/)

25

OSCON 2013 �

priv.ly/pages/download�

QuesJons?

Thanks to O’Reilly Media! h]ps://priv.lyh]ps://groups.google.com/group/privly@privlySean:@seanmcgregorJen:@jewifer

26

OSCON 2013 �

priv.ly/pages/download�