Silk Road forums

Discussion => Security => Topic started by: theophile on December 10, 2012, 11:44 am

Title: No HTTPS?
Post by: theophile on December 10, 2012, 11:44 am
I recently joined, and noticed neither SR nor this forum use SSL encryption.
From what I understand about onion routing, this means the exit node we each connect to could read our traffic.
Wouldn't it be very easy for law enforcement to set up their own exit node and monitor traffic? In practice, is there another factor at play?
Title: Re: No HTTPS?
Post by: SelfSovereignty on December 10, 2012, 12:09 pm
You're right, it would be LUDICROUSLY easy for them to do that, save for one thing: we don't go through an exit node to get to SR.  It's a hidden Tor service, so it's in-network only.  That means it's end-to-end encrypted, hence no SSL (HTTPS) necessary.  It would just put more of a demand on the server and do very little else.

Definitely bear in mind that some exit nodes run SSL stripping software to perform man-in-the-middle attacks and all that lovely black hat junk.  If you're very paranoid, don't download Tor browser updates via Tor: never know if an exit node is deliberately replacing the real one with a malicious version.
Title: Re: No HTTPS?
Post by: Ballzinator on December 10, 2012, 11:02 pm
If you're very paranoid, don't download Tor browser updates via Tor: never know if an exit node is deliberately replacing the real one with a malicious version.
Dude, that's fucked up. I've never even thought of that :o
Title: Re: No HTTPS?
Post by: sourman on December 10, 2012, 11:57 pm
Hidden services on tor use end to end encryption by design, so there's no need for SSL.

When you download tor updates, make sure you're on the https:// secured download page prior to clicking the link. You can also get the PGP sig file for any download to verify that the file wasn't tampered with.
Title: Re: No HTTPS?
Post by: astor on December 11, 2012, 12:36 am
...and if you had used the search engine, you would have found, as one of the first results, that this question was answered months ago

http://dkn255hz262ypmii.onion/index.php?topic=14246

Not to mention I've seen it come up 2 or 3 times in the Security forum already.
Title: Re: No HTTPS?
Post by: SelfSovereignty on December 11, 2012, 06:56 am
Well yeah, that's true Astor... but when the damn site closes the connection every other page load and then bitches because it thinks your last search was less than 1 second ago, who can really blame him.  It's a good question & worth bumping/repeating now and then, IMHO.

BTW, that's not good enough Sourman -- SSL for Tor downloads.  The problem is that the only guarantee you have you're talking to the Tor servers and not a black hat running a man-in-the-middle attack is the certificate issued by a certificate authority.  Those are pathetically easy to hack/spoof/legitimately buy though.  And people tend to do what the men in black who call and say "give us a fucking certificate, we have to take down an int'l drug ring this week," demand.  Would be a damn easy way to identify probably 3/4 of this place; I mean distributing a malicious Tor browser version, that is.

(ex: you SSL to the hacker, he spoofs the Tor server certificate, then SSL's to the server himself and claims to be you -- and passes everything back and forth, after logging/changing it at his computer of course)
Title: Re: No HTTPS?
Post by: sourman on December 11, 2012, 07:13 pm
^^True, which is why I also mentioned verifying the PGP sig of the file in my post :)
Title: Re: No HTTPS?
Post by: SelfSovereignty on December 11, 2012, 08:58 pm
^^True, which is why I also mentioned verifying the PGP sig of the file in my post :)

Right you are, didn't mean to patronize you or anything :)
Title: Re: No HTTPS?
Post by: sourman on December 11, 2012, 11:16 pm
No offense taken. Security and scrutiny go hand in hand.