Silk Road forums
Discussion => Security => Topic started by: foxen624 on July 30, 2013, 01:20 am
-
I'm asking because while I've often seen similar things pop up on the clearnet, I've never seen it before anywhere on SR so would like to know if it is anything I need to be concerned about.
The Box says "Security Alert" on top, then inside it says:
"Revocation information for the security certificate for this site is not available. Do you want to proceed?" Then a box for "Yes", "No" and "View Certificate".
The certificate says that it's O.K.
I figure that this is probably no big deal, especially since afaik, we don't tend to use CA's.. and maybe it is normal to pop up once in a while and I just happen to not have run into it before now. I was just replying to a message when it popped up and as of now, the box is still on the page as I just opened a new tab to get to the forum.
I feel like this is probably a stupid question, but I'd rather ask a stupid question than take any chances on risking my security or the security of this site in any way.... no matter how remote.
Thanks to anyone who can clarify
-
hiya foxen :)
Hmmm....i've been on SR all day in msg's and havent seen that ???
-
It shouldn't check for revocations of an SSL certificate unless you are typing https at the beginning, and in that case it should fail to connect to the server (I just tried it myself).
idk, probably some bug. Obviously there are no SSL certificates involved, so checking for revocation doesn't matter.
-
are you using .onion.to
-
It shouldn't check for revocations of an SSL certificate unless you are typing https at the beginning, and in that case it should fail to connect to the server (I just tried it myself).
idk, probably some bug. Obviously there are no SSL certificates involved, so checking for revocation doesn't matter.
yeah, I know that no SSL certificates are involved (which is why I felt kinda dumb even asking about the box)... and no, I didn't type https:// I just typed what I always do when I don't access the forum from the link at the bottom of the SR site pages: dkn255hz262ypmii.onion
I'm going to go with that it is a bug as that's pretty much what I thought all along, just wasn't 100% sure and I always tend to err on the side of caution. Thanks for your reassurance :)
are you using .onion.to
Noooooooo! Never... I don't even ever use TOR2Web (although I'm not sure if that compromises anonymity, but being unsure, I just don't). It was a good question/suggestion though anyway.
O.K. well, thanks all - I'm going to get rid of the box then and finish my reply then where I was before.. ;)
-
I'd be on the cautious side and wipe your box, DBAN it.
-
Just a guess: An HTTPS clearnet connection is happening somewhere, maybe a browser feature (phishing check?) or toolbar/plugin thing, the exit node selected is malicious, badly configured or otherwise screwing up the CRL lookup which causes the browser to panic.
As others have said use a proper Tor browser rather than a socks proxy in your regular browser.
-
Just a guess: An HTTPS clearnet connection is happening somewhere, maybe a browser feature (phishing check?) or toolbar/plugin thing, the exit node selected is malicious, badly configured or otherwise screwing up the CRL lookup which causes the browser to panic.
As others have said use a proper Tor browser rather than a socks proxy in your regular browser.
hmmmmmm... now I'm not sure what to do. I had dismissed it as a bug... but these latest two replies have me wondering again wtf? See, I've been on TOR for quite a while before I ever joined SR because for reasons, I needed an email that was as anonymous as I could find & Tormail was the most anonymous I could find. I had two computers at the time and designated one of them for Tormail use only (and eventuallay for SR and any other TOR places I may happen to visit as well). All seemed well with that until a couple weeks ago, I bought nearly $400 worth of btc, had them sent to an online wallet but when I went to transfer them to SR account, the wallet had zero balance and the transaction history showed the deposit having gone in and a half hour later it was w/d to some unknown wallet. I posted about this in some thread here and the concensus seemed to be that I probably had gotten a rootkit/keylogger on the computer. Since I couldn't find it, to be absolutely sure my machine was clean, I bought a cheap but brand new out of the box laptop and have NEVER made a single clearnet connection from this computer in the whole 2 weeks I've had it.
That is the only reason I'm positive that there is no https clearnet connection involved.. otherwise, I'd think you are on to something. Also, since I have never used this computer for anything that is even associated with my real name, location, anything at all that could reveal my identity even if there was a malicious exit node... I don't think I have anything to worry about in that regard either.... except... it just occurred to me as I am typing this. My original reason for having gotten on TOR in the first place was for the anonymous tormail, and inside of tormail (not the account I created specifically for SR use when I joined this site), but I do write inside of a different Tormail account things that could identify me - which is the reason I need(ed) an email account that is private/anonymous. Not that I'm thinking that stupid box showed up because I use Tormail in a separate account for my personal email, but I just now got to wondering if my identity is not as safe as I had thought by using this computer on TOR and ONLY on TOR, if I'm using a Tormail account as my personal email. I wouldn't think so though.. but..???
Anyway, on my previous computer, I would connect to a VPN prior to connecting to TOR to keep my ISP from knowing anything, then once inside TOR, I'd disconnect from that one and connect to a different VPN over TOR with which I did use a socks proxy, in order to keep my IP protected in case of a malicious exit node. But on this new computer, I just use the Tor Browser Bundle and make a direct connection.
Sorry for all the boring details. I'd all but forgotten about that Security Alert box since I've not seen it since and have been under the impression that I'm pretty safe as far as my identity not being easily revealed since I've gotten on a computer that has never had a clearnet connection made...
I was surprised to find these last two replies that have showed up and both of them have me thinking that maybe I was too hasty in dismissing the box as a bug.....
With the details I just described about my current setup, circumstances regarding how this computer has and has not been used, etc.. does anyone still think that I need to worry anymore about that one time appearance of the security box? Or have any suggestions of what I may be unintentionally doing wrong? I would welcome any constructive criticism and/or advice regarding security... (or anything else) ;)
Thanks......