RealTime IT News

HP Veiled: A Darknet for Browsers

LAS VEGAS -- Here at the Black Hat conference, HP security researchers today are set to show off Veiled, a browser-based darknet.

A darknet is a hidden Internet where information and content are shared by darknet participants. Usually, darknets are not easily accessible via regular Web browsers -- which is what changes with Veiled.

Veiled is intended to lower a darknet's barriers to entry, making it simpler to create and join.

"You can't really do peer-to-peer with a browser -- letting one browser talk to another -- and that's a good thing from a security perspective," HP security researcher Matt Wood told InternetNews.com. "The way you punch holes in that is if you have a server that has single php file on it that lets you create a communications channel with all the other people communicating with that php server."

But instead of just communicating, Veiled enables users to actually have their own nodes with their browser to share content -- and it's all done on top of the Web. Wood explained that the data is on the user's local browser, so when they shut down, there is no trace left to indicate the user participated in the darknet.

Wood added that the user doesn't need to download anything to participate. It's all AJAX calls through the browser's JavaScript engine, so it's merely taking advantage of features that modern browsers enable.

While the darknet could potentially be something used to traffic malicious information, for HP's security researchers, the point of the effort is to show what is possible, and Wood said that masking activity wasn't the point of his research.

"The server doesn't try to act like the endpoint," Wood said. "It's literally just acting as a router with client connecting to it and sending messages through it."

One benign potential use for Veiled is as a way to create a browser-based, distributed file storage network.

"Whenever a certain node goes down, we don't want the entire file to disappear, so we wanted to have multiple copies and have the copies split up with chunks all across the darknet," Wood said.

In some respects, the idea might seem similar to Opera Unite effort, which aims to let users of the Opera browser interact with each other through file- and photo-sharing, Web serving and chat, thanks to an integrated Web server. But Wood said HP has a very different aim in mind.

"What we're trying to do with the research is saying, with all this HTML 5 stuff that has come out, how far can you take the apps that just live the browser, and what kind of apps that we used to only have on the desktop be just in the browser."

Browser vulnerabilities?

Wood said Veiled is not taking advantage of any browser vulnerability to make its magic happen. He also noted that he had not spoken with the browser vendors about Veiled, and that he doesn't see a need to since the darknet isn't taking advantage of anything that a browser doesn't normally.

"The idea behind the darknet is mostly in how the client and server and other clients connect together and how servers can connect to other servers," Wood said. "That's really the heart of how this all goes together. We are providing a new way to look at how the client and servers interact. This is more of a paradigm shift."