It has come to my attention recently that there has been a law passed in the United States which restricts internet pornography and forbids sex workers from having websites (To some extent). While I have not read the bill, or heard much more about it other than how it’s effected Sex Workers, I’ve decided to write this so that I can do my part to keep the internet free as well as defend a marginalized community. As this issue evolves, I’m sure people will have new questions/ concerns, so I will update this blog post with answers as they come up.
I’m going to only touch briefly on opsec/ privacy as that is a whole other blog post. I am going to try to keep this brief and informative
So there are really two ways you can go about this IMO. A “trusted” offshore provider, such as OVH. Or a “trusted” friend/ online acquaintance who dabbles in their own hosting.
As far as reputable (esque) providers go, usually I refer people to Amazon Web Services. Unfortunately, that isn’t a great choice for this scenario, so I recommend OVH alternatively. Based in France, OVH provides a wide variety of common cloud services, dedicated VPC’s, backup solutions and more. The reason I suggest this, isn’t because it’s based in France (And I know nothing about their laws), but because in my professional work, I’ve encountered a lot of malware/ phishing campaigns that use OVH (lol). Since they clearly give 0 fucks about abuse, I will recommend them for this use-case as the nature of your website is nothing worse than what they already host.
Alternatively, (This is a little shadier, but if you want to go this route by all means) find somebody who operates their own hosting business through a forum or online group, and ask them if they will protect your content. They will probably say yes, and might be a better route for technical support. The downside of this is if you come under DDOS attack, you might be down for a bit longer than you would with OVH.
Note: Use Ubuntu Linux for the operating system when it comes time to pick. This is important because it is the easiest Linux distribution to use for beginners, and the most well supported. Debian is equally reliable and my personal preference, but there are some caveats to that which I do not want to get into in this blog, so just use Ubuntu.
How to make a website:
I won’t walk through the technical details of how to design a website, but I will instead link to articles on how to do it with WordPress.
^This seems like a pretty solid guide. Ping me if you’re stuck with anything
Question: “Can ‘WordPress’ be trusted”
Answer: Yes. WordPress.org cannot control what you do with the WordPress CMS, that is “Free and Open Source Software” licensed under the GNU GPLV3. Here are the terms of the GNU GPLV3 https://www.gnu.org/licenses/gpl-3.0.en.html
Content hosted on WordPress.org is subject to an additional TOS (Which only applies to content on their website), and it is not advisable you to use them for this use-case.
If you want to learn more about the “Free Software Movement”, checkout gnu.org ! Also this is mandatory watching https://www.youtube.com/watch?v=k84FMc1GF8M
Addition #1: I forgot to mention, when you’re managing WordPress it’s critical that you do not install random, un-necessary or obscure plugins. Only use plugins from reputable vendors, with a good community reputation. There are a variety of hacking techniques that are relatively trivial to conduct on a poorly managed WordPress. This is why I always recommend people install “WordFence”. WordFence is a “Web Application Firewall” (WAF). The purpose of a WAF is to automatically detect, prevent and block general malicious activity, and trivial hacking techniques. WordFence is free to install however, it has a paid version with advanced features (Which I do not use because I have the technical expertise to manage these things alternatively, but I recommend it to people who have the budget for it.
Domain Names, SSL/ TLS , .onion and more:
Many people are discussing which registrars and tld’s / gtld’s are safe for this use-case. There is a lot of misinformation, and concern about ICANN’s authority, so I will clarify a few points and make suggestions.
A) ICANN are good people, who work hard 24/7 to keep the internet going. While they usually comply with law enforcement, they will not buckle to authoritarian censorship. While I’m unsure what actions they will or will not take regarding the recent law that was passed in the US, I do know they generally make good decisions.
B) Many people have said they’d prefer a .onion domain name, but that it would reduce visibility for their website. While this is true, it is not necessary to use Tor to access .onion websites! There is a service called Tor2Web which will proxy your content to the clearnet sans the privacy enhancements.
Q: How does this work?
A: It’s simple. Just append “.to” to the end of your .onion domain. Here is an example to try! https://duskgytldkxiuqc6.onion.to
(Note: I will mention again, if you use the “.to” trick to access darknet content you will not have any privacy protection!)
Q: What are the benefits of this then if there is no privacy protection?
A: There is only no privacy protection for the person accessing the content via “.to”. If you configure it properly, as you would for any other darknet site, then the site itself will be the exact same as any other darknet site.
C) Some people have asked where the best place to buy “SSL/ TLS / HTTPS ” certificates. My answer is not to buy it! Get it for free with Lets Encrypt! Lets Encrypt is another FOSS initiative that wants to give out free SSL certificates. Check the green lock for infosecninja.ca and see it in use! https://letsencrypt.org
Q: How do I install an SSL certificate?
A: You don’t! Let Certbot do it! Certbot is an initiative from the Electronic Frontier Foundation (EFF) which fully automates installation of SSL/ TLS certificates and their renewal. certbot.eff.org
D) Some people are curious what Registrars are good for this use case. For this, I suggest the Paris based
Q: Why do you recommend gandi.net?
A: Because they’re basically the French Verisign
Q: Do they offer Domain Privacy Protection?
A: Yes, and it’s free!
E) What TLD’s and GTLD’s can I choose from?
Here is the list:
Communications 101, secure and plaintext
There are a few things to address here. While I won’t go into threat modelling communications channels, I’ll list some cool tricks and what not. But I will briefly say, anything you want to stay private should stay away from electronics and the internet. Have face to face conversations when possible, and separate your personal data from work data (This may mean multiple devices).
– For low threat burners, I use textnow (ios and android app). Previously I’ve said they don’t care about abuse, and their social media team was quick to correct me (lol). But I still stand with that point. The reason is because their API is wide open and if they didn’t want people abusing it, they would have done a better job making it.
– If you need a physical burner phone, you can get them from grocery stores for el-cheapo. Pay cash, wear shades. Buy it from a store out of town, so nobody recognizes you. Throw the packaging away in a separate area. Make sure to destroy serial numbers on the packaging before throwing it away!
– If you want a real “trap-phone” I suggest getting a twilio sim and provisioning your own programmable voice + sms + data service. It’s cheaper than a regular phone plan (By more than half) and lets you change your number instantly. Order the Twilio SIM cards to a throw away address, and purchase them under a burner account. The starter pack is 20$ for 3. Then you should buy an iphone off of ebay that has been well used, try to get a 6S or newer. This should be about 300-250$ I’ll cover this in another blog with exact details, as it’s a non-trivial task.
– If you’re el-chapo, look into “Phantom Phones” though I’m not sure how good they are, I heard they’re supposedly better than standard devices. These run in the 2k price range though.
– For email use protonmail.com (ios/ android/ desktop). It’s very straightforward, highly secure platform.
– For IM use Signal (ios/ android/ desktop). This is also very straightforward
– iMessage has medium grade encryption. Apple might fuck you over though, and I won’t vouch for them more so than Signal. So take from that what you will.
VPN’s, Proxies and Tor
– People are recommending a lot of shit VPN providers these days. What makes them shit is either their speed, or their service quality. Or some are direct pipelines to the Kremlin! If you want to stay safe online by using a VPN, set up your own on OVH! Here is a guide for setting up OpenVPN: https://www.digitalocean.com/community/tutorials/how-to-install-openvpn-access-server-on-ubuntu-12-04 https://www.ovh.com/world/g1555.vpn_configuration_guide
– Blackbox VPN’s will offer you little privacy in this use-case. Services like TunnelBear are not trust worthy. And do not listen to anything Linus Tech Tips tells you! He has 0 clue what he is talking about
– Tor is incredibly slow these days but if you need to, then use it.
I don’t usually write about opsec so as not to give away my own secrets, so I’ll differ to a friend of mine who has excellent resources on the subject. Check out his blog here, where he has compiled amazing resources on staying safe online (He wrote a book on the matter too): https://brokemy.network
Edit: Originally I mistakenly said that Certbot was created by Let’s Encrypt. This is incorrect, Certbot was created by the Electronic Frontier Foundation (EFF). My apologies to the EFF for this error. eff.org