Silk Road forums
Discussion => Security => Topic started by: pathenry76 on August 08, 2013, 04:38 pm
-
Are there any special security concerns when visiting non onion sites while using tor?
-
Yes,
any unencrypted data is exposed to the exit node.
Do not log into clearnet sites without HTTPS support over Tor!
-
That depends on where your entry node and your exit node is. if the traffic between your computer and the entry node goes through a route sniffed by the NSA (which is always, if you are in the USA and the entry node is outside of the USA), AND the traffic between the exit node and the clearnet destination goes through a route sniffed by the NSA, then they can correlate your IP adress with the clearnet traffic, by looking at the timeframe and the size of data packets. Https only adds limited safety in that case, because the NSA can still see the clearnet URL you visited and associate it with your IP adress.
It's probably best to setup Tor to only use entry nodes in your own country which you trust, and only use exit nodes in countries which are not controlled by the NSA. E.g. South Africa, Taiwan and China.
To your torrc config file you could add something like this:
StrictNodes 1
ExitNodes {tw},{za},{cn}
EntryNodes $073F27934762FF8BA956FFCE136AAC1CCF45EA13,$80F870DD215A0C56005266A71C46F92F39F1973B,$6557396CF0EE5B72563A22BCAA0FF26E77FA3D08
The EntryNodes values are fingerprints of 3 servers in the USA. I don't know if they can be trusted (first 2 are torservers.net I think) and if the route is sniffed by the NSA, so you should search for servers and their fingerprints on (clearnet) http://torstatus.blutmagie.de
When you copy a fingerprint from that website you have to add a $ at the beginning and remove the spaces. Seperate each fingerprint with a comma.
Instead of using fingerprints you could also use country codes for the list of entry nodes:
EntryNodes {us}
You can test the exit node configuration by going to (clearnet) http://ip-check.info . This website will also tell you how identifiable your browser is.
There is also the possibility to exclude nodes (entry, relay and exit) from your Tor circuit:
#main PRISM collaborators
ExcludeNodes {us},{gb},{ca},{au},{nz}
But this feature may break your connection to hidden services hosted in those countries.
You can find the list of country codes at clearnet http://en.wikipedia.org/wiki/ISO_3166-1_alpha-2
-
It's probably best to setup Tor to only use entry nodes in your own country which you trust, and only use exit nodes in countries which are not controlled by the NSA. E.g. South Africa, Taiwan and China.
This is useless if the site you are visiting is located in the USA, which a majority are for English speakers. In that case, you are better off using an exit node inside the USA, since the NSA is less likely to sniff the connection, although it probably will anyway at the major IXes. I just assume there's no way resist NSA surveillance at this point, except to use hidden services that are located outside of the USA.
To your torrc config file you could add something like this:
StrictNodes 1
ExitNodes {tw},{za},{cn}
EntryNodes $073F27934762FF8BA956FFCE136AAC1CCF45EA13,$80F870DD215A0C56005266A71C46F92F39F1973B,$6557396CF0EE5B72563A22BCAA0FF26E77FA3D08
If you are always using the same few exit nodes, that could kill your anonymity, because your circuit patterns are significantly different from everyone else's.
-
I use https everywhere, which not all sites use, and tend to cycle(request new identity) if I use clearnet. Does the cycling between clearnet/onion aid in keeping myself free from identification query attacks?
-
This is useless if the site you are visiting is located in the USA, which a majority are for English speakers. In that case, you are better off using an exit node inside the USA, since the NSA is less likely to sniff the connection, although it probably will anyway at the major IXes. I just assume there's no way resist NSA surveillance at this point, except to use hidden services that are located outside of the USA.
True. Maybe you should simply use a different exit node country depending on the website you are visiting. If you are visiting a website in France, use a french exit node etc.
I didn't play with this feature yet, but another possibility is specifying the exitnode right in the url. You would have to add
AllowDotExit 1
to your torrc file.
In your browser address bar you could enter
http://livelyblog.com.84CA95A4D9E824C6F9662711B887433525760F72.exit
to use the exit node with the specified fingerprint, when you're browsing the clearnet site livelyblog.com. Always using the same fingerprint makes you more identifiable though.
If you are always using the same few exit nodes, that could kill your anonymity, because your circuit patterns are significantly different from everyone else's.
True. It's probably better to add some more countries which hav emore exit nodes than China, Taiwan and South Africa
-
I use https everywhere, which not all sites use, and tend to cycle(request new identity) if I use clearnet. Does the cycling between clearnet/onion aid in keeping myself free from identification query attacks?
That's really only a concern if you are visiting two clearnet sites simultaneously. Those TCP streams my be leaving the same circuit at the same exit node, so it can correlate them. Otherwise, changing identities between browsing clearnet sites and hidden services doesn't help anything, because clearnet sites are accessed through exit nodes while hidden services are not, so they are definitely not using the same circuits (although they may be sharing part of a circuit).