Silk Road forums
Discussion => Security => Topic started by: HCN1 on December 31, 2012, 07:07 pm
-
Hello SR community, I've been using TOR and SR for quite a long time now and have decided to give back. I've setup a system that allows for you to send secure/encrypted messages without using PGP or any other complex tools, just a browser that's on TOR. The idea is based upon services such as Privnote.com, yet our service is ONLY available on TOR at http://sms4tor3vcr2geip.onion. The process is simple, create a note, get a URL that includes the encryption key to your note, send that URL to anyone, once the URL is used once we wipe the encrypted note from the database. All data is stored with bCrypt, so even with root access (i.e. the admins) none of the data can be read. We invite you to come check out the service and hope it makes life a heck of a lot easier for all SR and TOR users.
Here's the FAQ from the service to give you a better idea of how it works...
1. How does this site work?
Simple, you enter your message and click "I'm Done!", our system will then encrypt the message and store it in our database. You will then get the URL to retrieve the message. You give this unique URL to the person you want to read the message. Once the URL has been used the message is instantly wiped from our database and cannot be retrieved again. All messages that sit dormant for over 30 days are automatically wiped from the system.
2. How is this secure?
We have taken every step possible to secure your message. First, we encrypt your message data using bCrypt, a stronger encryption method than required by any governmental agency. Then we give you the only key to decrypt the data, which is embedded in the URL that you receive for reading the message. Even with full access root level access to our web server and/or database the data stored there is useless without the key that only you hold. The service is hosted in a secure datacenter on dedicated hardware, not somewhere in the cloud. We take backups of our data on an hourly basis, ensuring that your messages are secure from any unforeseen failures.
3. Why are you providing this service?
The creators of the project understand the need for privacy in communications. While there are methods that exist there are none as easy and secure as our system. We have created this system with the goal of simplifying the process of secure communications within the TOR network.
4. What if I make a mistake in a note, how do I fix it?
Easy! Just enter the URL key in your browser, this show you your note and then destroy it. Just enter it again with your corrections and we'll generate a new URL for you.
5. Can someone read my note by clicking back, or using browser history?
No, once a note is read it cannot be loaded again, it's wiped from the database, never to be read again.
6. I misplaced the URL, can you retrieve my message or send me the URL again?
No, we don't store the URL's as they contain the key to your secure data. You'll need to recreate your message and let your old message expire from our database.
7. How do I contact you?
We can be contacted at sms4tor (at) tormail (dot) org. Of course we recommend that you use our system to generate the message, then just send us the link, we'll reply in the same manner.
8. This is a great service, how can we help to keep it online?
While we don't expect to make money with this service we do appreciate donations to cover the hosting costs and beer necessary to keep the site running. You can send us some some spare Bitcoin at: 1KmoRJYnzWvPsa5vBDpayUXX4Nz1CmZft8.
All the best!
HCN1
-
Hello SR community, I've been using TOR and SR for quite a long time now and have decided to give back. I've setup a system that allows for you to send secure/encrypted messages without using PGP or any other complex tools, just a browser that's on TOR. The idea is based upon services such as Privnote.com, yet our service is ONLY available on TOR at http://sms4tor3vcr2geip.onion. The process is simple, create a note, get a URL that includes the encryption key to your note, send that URL to anyone, once the URL is used once we wipe the encrypted note from the database. All data is stored with bCrypt, so even with root access (i.e. the admins) none of the data can be read. We invite you to come check out the service and hope it makes life a heck of a lot easier for all SR and TOR users.
Here's the FAQ from the service to give you a better idea of how it works...
1. How does this site work?
Simple, you enter your message and click "I'm Done!", our system will then encrypt the message and store it in our database. You will then get the URL to retrieve the message. You give this unique URL to the person you want to read the message. Once the URL has been used the message is instantly wiped from our database and cannot be retrieved again. All messages that sit dormant for over 30 days are automatically wiped from the system.
2. How is this secure?
We have taken every step possible to secure your message. First, we encrypt your message data using bCrypt, a stronger encryption method than required by any governmental agency. Then we give you the only key to decrypt the data, which is embedded in the URL that you receive for reading the message. Even with full access root level access to our web server and/or database the data stored there is useless without the key that only you hold. The service is hosted in a secure datacenter on dedicated hardware, not somewhere in the cloud. We take backups of our data on an hourly basis, ensuring that your messages are secure from any unforeseen failures.
3. Why are you providing this service?
The creators of the project understand the need for privacy in communications. While there are methods that exist there are none as easy and secure as our system. We have created this system with the goal of simplifying the process of secure communications within the TOR network.
4. What if I make a mistake in a note, how do I fix it?
Easy! Just enter the URL key in your browser, this show you your note and then destroy it. Just enter it again with your corrections and we'll generate a new URL for you.
5. Can someone read my note by clicking back, or using browser history?
No, once a note is read it cannot be loaded again, it's wiped from the database, never to be read again.
6. I misplaced the URL, can you retrieve my message or send me the URL again?
No, we don't store the URL's as they contain the key to your secure data. You'll need to recreate your message and let your old message expire from our database.
7. How do I contact you?
We can be contacted at sms4tor (at) tormail (dot) org. Of course we recommend that you use our system to generate the message, then just send us the link, we'll reply in the same manner.
8. This is a great service, how can we help to keep it online?
While we don't expect to make money with this service we do appreciate donations to cover the hosting costs and beer necessary to keep the site running. You can send us some some spare Bitcoin at: 1KmoRJYnzWvPsa5vBDpayUXX4Nz1CmZft8.
All the best!
HCN1
If anyone can't figure out how to use GPG4USB then, to put it frankly, they're too fucking stupid to be on Silk Road.
As far as your statement re: SMS4TOR being " ... in most cases just as secure as a PGP exchange message exchange" then either:
1) You don't understand PGP worth a damn; or
2 You're lying through your teeth.
Frankly, anyone who is so foolish as to use your service, needs their head examined. Privnote isn't secure, and your service isn't either.
Stating (as you have in your other posting) that SMS4TOR is " in most cases just as secure as a PGP exchange message exchange" is the single biggest crock of shit I've ever read on these Forums, and that's saying something.
NC
-
Thanks for your opinion. I have used PGP for some time now and fully understand the functionality I also know that much of this functionality is not implemented by the majority of those people casually using the tool. I agree with you as to Privnote, to a degree, if you're inferring that by accessing it on the clearnet that your IP could be logged by their system, yet this is rather easy to get around. SMS4TOR, being accessible ONLY on an obfuscated, encrypted network to begin with is in a much better position to protect your identity.
The only manner I know of in which a message could be compromised and read would be for someone to obtain the URL key before the intended recipient. I don't log the keys, therefore this is not a flaw in SMS4TOR, rather it's an issue with the security of the exchange mechanism that a user has chosen. I'm 100% confident that regardless of what level of access you have to the web or database server that there is no manner in which to decrypt the existing data without the proper key for each individual message. Due to the random nature of encryption methodologies in place this would be close to impossible, there is no master key or predictable pattern to follow. I have a background in server and network engineering, so I can assure you that the platform itself would be a tough nut to crack to begin with.
This being said, please elaborate on your comments and perhaps we can have a productive conversation.
All the best,
HCN1
-
Good to have options but for serious privacy you always keep the private key with yourself, period.
How do we know you're not LEO creating a system to log shady conversations? I don't think you are but we'll never know for sure and people should take the time to learn how to use PGP instead of relying of services to simplify increasing the risk. Asking a stranger to keep the private keys is very risky. Your service is like Wickr. Better than nothing but not 100% trustworthy. Interesting idea though.
-
Why anyone should trust someone they don't know at all over Tor with their private communications is beyond me. Sorry HCN1 you may have good intentions but this sounds like a honeypot to me!