Silk Road forums
Discussion => Newbie discussion => Topic started by: DoctorFate on May 19, 2013, 09:13 pm
-
Title says it all.
I was going to order something from this vendor then I saw almost all the SR links on the profile page are .onion.to
Had the item in my cart and was doing a last minute check through to make sure I'd adhered to everything, then I saw all the links to almost every other listing all ended in .onion.to
If this vendor is not using tor and just using .onion.to links that bad right?
-
can you visit a site if it ends in .to without tor?
i heard vendors should never list links like that and to not visit them either.
-
uh oh. Please explain further what you mean? What should I watch out for? What vendor was this?
Thanks!
-
Title says it all.
I was going to order something from this vendor then I saw almost all the SR links on the profile page are .onion.to
Had the item in my cart and was doing a last minute check through to make sure I'd adhered to everything, then I saw all the links to almost every other listing all ended in .onion.to
If this vendor is not using tor and just using .onion.to links that bad right?
Very bad! Please name and shame - the community needs to know who this is; or you can PM me the vendor's URL if you wish. I mean if they're not even taking the most basic precaution to protect their own anonymity, imagine how little they're doing to protect their buyer's details! :o
Libertas
-
My fear is that this vendor is using onion.to links which are to my understanding like forwarding services that allow non tor users to access onion sites but not anonymously?
I really have no clue beyond what I've been told, "don't use onion.to links, just remove the .to"
I really would rather not give out the vendors name or anything, if a mod wants to know, happy to pm but I wouldn't go blasting someones name like that when its possible I am over reacting.
-
Libertas PM'd with vendor name so hopefully the right hands will guide them...
Thanks for the input everyone!
-
My fear is that this vendor is using onion.to links which are to my understanding like forwarding services that allow non tor users to access onion sites but not anonymously?
I really have no clue beyond what I've been told, "don't use onion.to links, just remove the .to"
I really would rather not give out the vendors name or anything, if a mod wants to know, happy to pm but I wouldn't go blasting someones name like that when its possible I am over reacting.
PM received, thank you DoctorFate. And you're not overreacting at all; this vendor is putting the safety of buyers at huge risk!
Thanks for letting us know about this!
Libertas
-
DoctorFate,
POINTS!!! :)
Thanks!! :)
-
This is horrible and negligent but it really highlights the fact that we need to make this whole thing easier to use, so anyone can get access to a secure computing environment and use it safely.
Maybe someone should make a video tutorial course and upload it to YouTube or something, the general population struggle reading stuff and the more people join Silk Road the more the people here are more like the rest of the Internet.
-
This is horrible and negligent but it really highlights the fact that we need to make this whole thing easier to use, so anyone can get access to a secure computing environment and use it safely.
Maybe someone should make a video tutorial course and upload it to YouTube or something, the general population struggle reading stuff and the more people join Silk Road the more the people here are more like the rest of the Internet.
Good idea, any way to get that video on a tor site? The more people join the better opportunities and sales for vendors but also the more risk. Wish there was a way to get google links taken down. :/
-
Im still unclear- is it that the suffix -.onion.to is for accessing sites on TOR without using TOR and therefore not using the saftey built into TOR?
thats what i'm guessing. i think if you add .to to the end you can view the site with just a regular browser without tor running but you don't get put through the tor network so people can see you directly viewing the site. not exactly sure tho
-
Accessing these links without TOR kind of defeats the purpose of anonymity, wouldn't you agree? I guess some people will have to learn security issues the hard way...
-
A site that ends in .onion is actually on the Tor network and is secure. Nobody knows what website you're visiting, even if they're recording all your traffic they have no idea what you're up to.
"onion.to" is a website on the public Internet which acts as a bridge between the Tor network and the Internet, it just forwards your requests to the Tor network. A site that ends in onion.to belongs to this website.
I don't know who "Xxor AB" are, but I do know that they can see all of your traffic. They might be working with law enforcement, they might not. When visiting onion.to sites you're also making DNS requests for the domain names (like silkroadvb5piz3r.onion.to), these can be read by anyone between you and onion.to's DNS server. Unless you're connected to https://somesite.onion.to/ rather than http://somesite.onion.to/ then everything you do can be seen by everyone between you and onion.to. This could be your ISP, the feds, anyone who has access and is listening/recording.
If you're using onion.to then you're riding Tor bareback. Don't do that, it's just not worth it.
-
thanks for explaining
but sorry maybe that totally went over my head but who is "Xxor AB"? did you just make that up for example or did i miss something? lol
-
+1 good catch. I'm sure he was probably just too eager to get onto SR. Once he learns more of the ways of SR I am sure he will be fine.
-
What does the .to at the end do?
-
thanks for explaining
but sorry maybe that totally went over my head but who is "Xxor AB"? did you just make that up for example or did i miss something? lol
"Xxor AB" are the company who run the onion.to website.
-
What does the .to at the end do?
A site that ends in .onion is actually on the Tor network and is secure. Nobody knows what website you're visiting, even if they're recording all your traffic they have no idea what you're up to.
"onion.to" is a website on the public Internet which acts as a bridge between the Tor network and the Internet, it just forwards your requests to the Tor network. A site that ends in onion.to belongs to this website.
I don't know who "Xxor AB" are, but I do know that they can see all of your traffic. They might be working with law enforcement, they might not. When visiting onion.to sites you're also making DNS requests for the domain names (like silkroadvb5piz3r.onion.to), these can be read by anyone between you and onion.to's DNS server. Unless you're connected to https://somesite.onion.to/ rather than http://somesite.onion.to/ then everything you do can be seen by everyone between you and onion.to. This could be your ISP, the feds, anyone who has access and is listening/recording.
If you're using onion.to then you're riding Tor bareback. Don't do that, it's just not worth it.
-
Granted I'm no expert but I fail to see the issue with the .to links if you're using TOR to access them.. it's redundant and stupid but I don't see it being a security issue because you're still accessing them through TOR. The point of the .to links to so that you can access them without TOR.. but if you're running the TOR browser then it should pull the TOR link through TOR to the proxy, then through TOR again to you.
Can someone who is actually an expert clarify why it's an issue to access a relayed TOR link through TOR.
-
thanks for explaining
but sorry maybe that totally went over my head but who is "Xxor AB"? did you just make that up for example or did i miss something? lol
"Xxor AB" are the company who run the onion.to website.
all onion.to websites or just the silkroad.onion.to one?
i would like to know who that is
and how are you able to see this?
-
Granted I'm no expert but I fail to see the issue with the .to links if you're using TOR to access them.. it's redundant and stupid but I don't see it being a security issue because you're still accessing them through TOR. The point of the .to links to so that you can access them without TOR.. but if you're running the TOR browser then it should pull the TOR link through TOR to the proxy, then through TOR again to you.
Can someone who is actually an expert clarify why it's an issue to access a relayed TOR link through TOR.
yes, hopefully someone will explain. i don't even see the purpose of have .to sites.
so people who don't care about privacy can visit .onion sites?
i do know its highly discouraged to travel to onion.to sites even while running tor by this forum. i don't think it would be pushed so widespread unless enough people with a solid understanding of tor security said so.
-
thanks for explaining
but sorry maybe that totally went over my head but who is "Xxor AB"? did you just make that up for example or did i miss something? lol
"Xxor AB" are the company who run the onion.to website.
all onion.to websites or just the silkroad.onion.to one?
i would like to know who that is
and how are you able to see this?
Just like "google.com" is a domain owned by Google and they can have www.google.com, mail.google.com, calendar.google.com and so on, "onion.to" is a domain owned by Xxor AB and they have every single Tor hidden service as subdomains, including silkroadvb5piz3r.onion.to and dkn255hz262ypmii.onion.to. They just use a Tor browser at the other end and show you what they see, they're a proxy service that anyone could run.
If I wanted to I could set up "silkroadvb5piz3r.onion.mywebsite.com" and route traffic to Silk Road, steal everyone's money, record everyone's addresses (people who don't use PGP anyway) and report vendors to the police. Using a service like that is dangerously foolish.
-
Yes it's for accessing hidden services when you don't have need for security and presumably you're on a system that doesn't have TOR installed. If you're accessing the proxy service using TOR then they shouldn't have any of your information and the data that they're forwarding for you should all be encrypted (my understanding anyway). I suppose it could be used to confirm your identity if they're already watching your data requests via your ISP and see the correlated data requests but that seems pretty far fetched since they would have to already suspect you and get the co-operation of this xxor proxy service.
Visit onion.to and it says created by Xxor AB in the top right corner. Click on that and it takes you to their company website xxor.se which says they are a Swedish (Stockholm) based IT company.
-
Yes it's for accessing hidden services when you don't have need for security and presumably you're on a system that doesn't have TOR installed. If you're accessing the proxy service using TOR then they shouldn't have any of your information and the data that they're forwarding for you should all be encrypted (my understanding anyway). I suppose it could be used to confirm your identity if they're already watching your data requests via your ISP and see the correlated data requests but that seems pretty far fetched since they would have to already suspect you and get the co-operation of this xxor proxy service.
Visit onion.to and it says created by Xxor AB in the top right corner. Click on that and it takes you to their company website xxor.se which says they are a Swedish (Stockholm) based IT company.
From what I understand, if either Xxor AB shared their PEM files with law enforcement in your country (see Wireshark, recording HTTPS), or your Tor endpoint is behind a filtering system which does a man in the middle attack and replaces their certificates with their own (see sslstrip, also The Great Firewall of China) then your traffic can be seen by powerful third parties even if you're connecting over HTTPS.
Don't use .onion.to addresses over Tor even if it's encrypted, it's never as safe as just using a real .onion address.
(This is my 50th post without spamming, I'm out of the newbie jail and will hang out in the security forum from now on!)
-
I'll take your word for it, it's pointless to do such a thing anyway. Congrats on graduating from noobhood.
-
(This is my 50th post without spamming, I'm out of the newbie jail and will hang out in the security forum from now on!)
congrats +1
-
Granted I'm no expert but I fail to see the issue with the .to links if you're using TOR to access them.. it's redundant and stupid but I don't see it being a security issue because you're still accessing them through TOR. The point of the .to links to so that you can access them without TOR.. but if you're running the TOR browser then it should pull the TOR link through TOR to the proxy, then through TOR again to you.
Can someone who is actually an expert clarify why it's an issue to access a relayed TOR link through TOR.
onion.to could potentially be logging any data that is entered through their proxy. That includes passphrase and PIN data through the use of a keylogger. If they are doing that then anybody who has used it - whether they use it through Tor or not - has potentially had their account compromised, both vendor and buyer alike.
Libertas
-
thanks for the explaination