Silk Road forums
Discussion => Security => Topic started by: Real_Drugs on June 09, 2013, 06:27 am
-
I have seen quiet a few threads asking about sites that are sites to avoid/that are unsafe while using TOR such as Facebook and Mt Gox, so I thought I might as well start a thread everyone can contribute to with a list of sites to avoid or for people who are unsure to ask about sites instead of posting a new thread every time.
I hope this helps.
-
Anything where you're giving personal or potentially identifying info? And don't do it concurrently while you're doing illegal things? Don't open your dls while online.
-
Any government site.
USPS (don't check tracking on Tor).
Any site that requires you to login that identifies you (bank account, facebook, youtube, etc)
-
Every site. ;)
Make sure Java is disabled... read through the Tor Project website. Follow daily news and events...
Cryptome.org is a fantastic resource for social and political news in the modern era.
-
That would be a long list. It's better to enumerate the reasons why you should avoid certain clearnet web sites over Tor, and you can apply that logic to any web site you come across.
1. Don't log into any web site that you have previously logged into over clearnet.
You will link your anonymous identity to your real identity.
2. Don't log into any web site that doesn't use SSL.
The exit node can sniff your account credentials. It can also link you to other sites that you are browsing at the same time, because all those TCP streams are probably using the same circuit, which terminates at that exit node.
3. Don't log into or try to create an account on any financial web site over Tor.
They are extremely paranoid and will probably flag your account.
4. You shouldn't write a lot of text on any web site where you have written a lot over clearnet.
This forum has shown that stylometry is surprisingly easy for even amateurs to perform, as several people have been trivially identified through quirks in their writing style (see for example mtljohn and chaosforpeace). You run the risk of linking your anonymous and real identities.
5. Be extremely careful about posting photos.
Metadata and identifying info photos have fucked a lot of people.
6. Don't enable Flash or Java on untrusted sites. If they require these plugins, that is extremely suspicious.
YouTube is probably ok, but I wouldn't run Flash on any other site. I wouldn't run Java on any site, period.
It is relatively safe to access the vast majority of sites as long as you don't log in or run Flash or Java. You can also disable JavaScript if you feel the need, although I think the threat from that is pretty low.
-
That would be a long list. It's better to enumerate the reasons why you should avoid certain clearnet web sites over Tor, and you can apply that logic to any web site you come across.
1. Don't log into any web site that you have previously logged into over clearnet.
You will link your anonymous identity to your real identity.
2. Don't log into any web site that doesn't use SSL.
The exit node can sniff your account credentials. It can also link you to other sites that you are browsing at the same time, because all those TCP streams are probably using the same circuit, which terminates at that exit node.
3. Don't log into or try to create an account on any financial web site over Tor.
They are extremely paranoid and will probably flag your account.
4. You shouldn't write a lot of text on any web site where you have written a lot over clearnet.
This forum has shown that stylometry is surprisingly easy for even amateurs to perform, as several people have been trivially identified through quirks in their writing style (see for example mtljohn and chaosforpeace). You run the risk of linking your anonymous and real identities.
5. Be extremely careful about posting photos.
Metadata and identifying info photos have fucked a lot of people.
6. Don't enable Flash or Java on untrusted sites. If they require these plugins, that is extremely suspicious.
YouTube is probably ok, but I wouldn't run Flash on any other site. I wouldn't run Java on any site, period.
It is relatively safe to access the vast majority of sites as long as you don't log in or run Flash or Java. You can also disable JavaScript if you feel the need, although I think the threat from that is pretty low.
Very smart and informative astor, Thanks!!! I think a lot of people should read this and learn a few things. +1 to you good sir
-
Some good tips, I just avoid getting on any other site other than SR while on tor, sketches me the hell out.
-
That would be a long list. It's better to enumerate the reasons why you should avoid certain clearnet web sites over Tor, and you can apply that logic to any web site you come across.
1. Don't log into any web site that you have previously logged into over clearnet.
You will link your anonymous identity to your real identity.
2. Don't log into any web site that doesn't use SSL.
The exit node can sniff your account credentials. It can also link you to other sites that you are browsing at the same time, because all those TCP streams are probably using the same circuit, which terminates at that exit node.
3. Don't log into or try to create an account on any financial web site over Tor.
They are extremely paranoid and will probably flag your account.
4. You shouldn't write a lot of text on any web site where you have written a lot over clearnet.
This forum has shown that stylometry is surprisingly easy for even amateurs to perform, as several people have been trivially identified through quirks in their writing style (see for example mtljohn and chaosforpeace). You run the risk of linking your anonymous and real identities.
5. Be extremely careful about posting photos.
Metadata and identifying info photos have fucked a lot of people.
6. Don't enable Flash or Java on untrusted sites. If they require these plugins, that is extremely suspicious.
YouTube is probably ok, but I wouldn't run Flash on any other site. I wouldn't run Java on any site, period.
It is relatively safe to access the vast majority of sites as long as you don't log in or run Flash or Java. You can also disable JavaScript if you feel the need, although I think the threat from that is pretty low.
+1 Thanks.
-
While on TOR, stay on TOR. While on clearnet, don't go near TOR.
When I'm about to hit TOR, I take a look around my place to see if I have anything else that's currently connected to the net. Other computers be they desktop or laptop, gaming consoles, anything. Don't forget about them. They all get shut off.
If, like me, you want to check clearnet stuff while on here - and it's a pain not to be able to do so - have a smartphone handy that is NOT using your home wifi, and do your clearnet surfing or whatever on that.
-
Everyone in this community has it bass ackwards. Tor was designed for browsing clearnet anonymously. Hidden services are the experimental feature, with much less research and zero development effort.
Plus, a hidden service can attack you in all the ways that a clearnet site can. Hidden services can supply JavaScript, and Flash, and Java. They're just web sites serving code, exactly the same as clearnet sites. The only thing hidden services provide is anonymity to the server, not the client.
-
astor, I have computer #1 logged in to the clearnet without TOR, clear IP address connected to an account I pay for under my real name.
Computer #2 is, via TAILS and TOR, connected to SR and whatever else.
You're telling me that's not a security risk - that my anon identity isn't easily tied to my real identity while I operate both through the same internet account?
-
On separate physical computers? It is basically zero risk.
-
Why would separate computers make a difference unless you're talking about (barely) plausible deniability?
My ISP knows I use TOR (if they care enough to pay attention).
My ISP knows who I am and where I go when I don't use TOR.
What kind of a chore is it to link the computer I have currently online, linked to my real name, with the computer operating TOR at the same time through the same account?
-
If you pay for your internet access, what difference does running a computer over clearnet make?
Your ISP knows someone is running Tor connections out of your home either way, or at least they can know if they bother to look.
You might still have some plausible deniability in that you could be allowing a friend to access Tor from your home, or someone is stealing your wifi. Are you saying it's less deniable if the two forms of connection happen simultaneously? I doubt any of this matters in a court of law, since it could happen at the same time or different times.
In any case, so what? Using Tor doesn't prove you're doing anything illegal.
And accessing clearnet on a separate physical computer won't reveal your identity to the sites you are visiting over Tor. That's why I was said it was zero risk.
-
what about accessing clearnet sites on a different browser while on tor?
-
I wouldn't worry about it, you can safely browse clearnet and tor sites on the same computer inside different browsers.
The only possible way that I can think of in which your tor and clearnet identities could be linked is if you're browsing the same sites in both browsers and your internet connection is suddenly interrupted. They might then be able to link your tor and clearnet traffic by correlating the downtime between the two sessions, however that definitely doesn't seem very likely to happen..
-
And accessing clearnet on a separate physical computer won't reveal your identity to the sites you are visiting over Tor. That's why I was said it was zero risk.
I had the impression from the various traffic analysis/traffic confirmation discussions (which I freely admit I only understand a portion of) that my ISP would have an easier time tracking my movements using TOR if I was simultaneously logged onto clearnet sites at the same time. On reflection, I don't know how this would work, and I'd be pleased to be corrected on this point.
The Snowden affair has me wondering all the more about being flagged just for TOR use alone. We need to get on to a system whereby most people use onion routing and encryption making any individual user that much less worthy of further investigation.
-
I had the impression from the various traffic analysis/traffic confirmation discussions (which I freely admit I only understand a portion of) that my ISP would have an easier time tracking my movements using TOR if I was simultaneously logged onto clearnet sites at the same time. On reflection, I don't know how this would work, and I'd be pleased to be corrected on this point.
Nah, the attacker would have to be watching the other end of your Tor circuit, either at the exit node, or at specific points between you and a hidden service, namely the hidden service directories, intro points, or the hidden service's entry guards. If an attacker is merely a local observer of all your home connections, that tells him nothing about what you are doing on the other end of a Tor circuit.
The Snowden affair has me wondering all the more about being flagged just for TOR use alone. We need to get on to a system whereby most people use onion routing and encryption making any individual user that much less worthy of further investigation.
Well, there are about 3 million people worldwide who use Tor every month for dozens of reasons, and about 250,000 in the United States, so flagging all of them would be pretty useless, which is why I don't think anyone is going on fishing expeditions against Tor users.
-
Would it be safe to use Google Groups on tor? If you created a new google account to use for that particular group which isn't linked to you. There are some that require you to be signed in to use, signed in via a google account which you join up to with an email account. Would it be safe to use tor to access these?
-
Would it be safe to use Google Groups on tor? If you created a new google account to use for that particular group which isn't linked to you. There are some that require you to be signed in to use, signed in via a google account which you join up to with an email account. Would it be safe to use tor to access these?
If you created the account using Tor, and only sign in using Tor it shouldn't be a problem. Provided, of course, you didnt provide any revealing information while signing up for the account.
However, its pretty difficult to create a Google email account that isn't linked to you these days (not impossible, just a giant pain in the ass)
-
Yeah, if you can create a Google account over Tor, that should be safe.
And if you succeed in doing that, let me know how you did it. :)
-
However, its pretty difficult to create a Google email account that isn't linked to you these days (not impossible, just a giant pain in the ass)
Agreed.
It is very difficult to create an anonymous Google account via Tor. I can't say what Google has been up to lately, but I looked into this quite a bit in the past. Google is likely to flag the shit out of you while creating an account over Tor - prompting additional verification. They will definitely request phone verification with an actual phone line (VOIP lines or discardable numbers will not work) and a backup email address. There's obviously more to it - I don't know all of the details, just enough to know that I wouldn't bother creating an account over Tor. There are much better alternatives (i.e. WiFi hotspots and/or VPNs).
-
Good info in here.
Yeah, if you can create a Google account over Tor, that should be safe.
And if you succeed in doing that, let me know how you did it. :)
I 2nd that! :D
-
Would it be safe to use Google Groups on tor? If you created a new google account to use for that particular group which isn't linked to you. There are some that require you to be signed in to use, signed in via a google account which you join up to with an email account. Would it be safe to use tor to access these?
If you created the account using Tor, and only sign in using Tor it shouldn't be a problem. Provided, of course, you didnt provide any revealing information while signing up for the account.
However, its pretty difficult to create a Google email account that isn't linked to you these days (not impossible, just a giant pain in the ass)
Can you expound on creating Google accounts without using identifying info?
-
Thanks for replying guys, sorry was away for a bit.
To clarify I don't mean a gmail account. What I'm talking about is google or usenet newsgroups, there are hundreds of them on different topics and its basically a message board. You don't need any sort of login or email to use them. But some pages are member only (to stop trolls) so require you to sign in with a Google account (again, not gmail). A Google account like one you use to post comments on youtube, i think it might even be linked with Google plus.
So i visit one legal newsgroup that is members only and created the Google account just using a regular email, not gmail. Just need to put a name (which can be fake) and an email and you can access the newsgroups. Asks for things like phone number or back up emails but you don't have to give these. Easy to use normally but haven't used one with tor yet. There is one members only one i visit but would prefer to be anonymous when using it from now on. So if I create a new tormail only for that group (which i have visited on clearnet before and logged into with another email), and used that tormail for the Google account, would that be safe? My main concern is that I've used the website and logged in with a different email through clearnet, and don't want to accidentally unmask myself by using this site on tor.
So i was more wondering if that would be safe, if there was anything inherently in Google or those newsgroups which would make using tor a bad idea with it (like how it is not the best idea to use Facebook with tor).
Thanks for any help, am still learning so sorry if the question is stupid :/
https://groups.google.com
I may have just answered my own question now, as when I tried to go to the main Google newsgroup site, it tells me that I need to have JavaScript enabled to use the site which I am pretty sure is not okay to enable? I was under the impression it was never safe to turn JavaScript on with tor, so it still wouldn't be safe if you turned java on for the newsgroup and off for silk road?
Is there any way at all I could safely use tor and these Google groups now? Also I know some people who are already using these groups with tor and also accessing silk road, does that mean they have java enabled, and that would then unmask their real IP address and are not safe? Would really love an answer to this question as they are encouraging others to do this.
Again thanks to astor and anyone who can help and sorry if the questions are a bit dumb.
-
Excellent information within is contained pertaining with clearnet and stlyometry analysis performance.
-
bump if anyone wants to read my long winded post and let me know what you think :)
-
So i visit one legal newsgroup that is members only and created the Google account just using a regular email, not gmail. Just need to put a name (which can be fake) and an email and you can access the newsgroups. Asks for things like phone number or back up emails but you don't have to give these. Easy to use normally but haven't used one with tor yet. There is one members only one i visit but would prefer to be anonymous when using it from now on. So if I create a new tormail only for that group (which i have visited on clearnet before and logged into with another email), and used that tormail for the Google account, would that be safe? My main concern is that I've used the website and logged in with a different email through clearnet, and don't want to accidentally unmask myself by using this site on tor.
So i was more wondering if that would be safe, if there was anything inherently in Google or those newsgroups which would make using tor a bad idea with it (like how it is not the best idea to use Facebook with tor).
Thanks for any help, am still learning so sorry if the question is stupid :/
You could be linked to your clearnet identity through information that you provide about yourself, or through your writing style. It is surprisingly easy to link some people, if they have unique patterns or quirks in their writing style. One person on this forum was linked because he wrote "a lot" as "allot". That's a very unique way to misspell it, and I presume his spellchecker didn't catch it because "allot" is a real word. Generally, the more correct, normal and mundane you write, the harder it is to find signatures or "fingerprints" in your writing style, at least for amateur readers. Professional stylometrists might be able to perform statistical attacks on your writing, looking at things like word frequency, to match your anonymous and clearnet identities, but it's unlikely you have to worry about someone like that.
No offense, but you do have a non-standard and non-correct writing style, so I would advise against it.
I may have just answered my own question now, as when I tried to go to the main Google newsgroup site, it tells me that I need to have JavaScript enabled to use the site which I am pretty sure is not okay to enable? I was under the impression it was never safe to turn JavaScript on with tor, so it still wouldn't be safe if you turned java on for the newsgroup and off for silk road?
JavaScript increases the attack surface against you, but I don't think Google is in the business of deanonymizing its users. The main reason being that a lot of people in censored countries use Tor and other proxies to access Google. Google wants them to access its sites. If it bugged its Flash video player on YouTube to connect over clearnet, the Iranian government could potentially see that connection. If someone was uploading a video of Iranian officials committing crimes, that could get them killed. Google can't take that chance, so I don't think they are in that game. Plus the general attitude that I've seen from people like Mike Hearn, a Google employee who has posted on the Tor mailing lists, is that they have no problem with anonymous users. The barrier to creating an account is mostly to stop spammers.
-
very informative thread. Thanks a lot Astor. +1
-
Would it be better to plug a wireless internet connection into your laptop which is registered in a fake name and use tor from that connection instead of your home connection which is registered in your name?
-
Thanks astor for the info and heads up on my writing style.
It isn't a huge deal as the group isn't illegal, just has a lot of trolls who I wanted to hide my ip from. I think I might go with just a proxy for when i post anything which isn't often.
-
Would it be better to plug a wireless internet connection into your laptop which is registered in a fake name and use tor from that connection instead of your home connection which is registered in your name?
No. If your account is being watched, a wireless adapter is as good as a GPS tracking device. Once they locate you, it's not difficult for LE to identify you, even though the account is under a fake name. The trick is to remain anonymous and not bring yourself to the attention of LE. That's the best protection available. A cloak of invisibility over your internet activities so to speak. Remember that Tor only encrypts your traffic when your connected to and are using the Tor network. An ISP can see all that you do up until that point.
-
Would it be better to plug a wireless internet connection into your laptop which is registered in a fake name and use tor from that connection instead of your home connection which is registered in your name?
For buyers, any form of hiding your Tor use is overkill. I see no problem with using Tor directly from home. Honestly, you're not that important. ;)
For vendors, especially big time vendors, I recommend hiding your Tor use because of a theoretical attack that I've explained before:
http://dkn255hz262ypmii.onion/index.php?topic=173679.msg1249891#msg1249891
Best way to do that is VPNs + obfsproxy bridges.