Silk Road forums
Discussion => Security => Topic started by: Heyenezz on February 28, 2012, 11:23 pm
-
What are the risks of accessing a clearnet site through Tor while also accessing an onion site?
What are the risks of accessing only a clearnet site through Tor?
Thanks for any assistance.
-
Protip: Don't login to your facebook.
-
Protip: Don't login to your facebook.
Somebody got nabbed over on OVDB for logging into their personal email while in a tor session on OVDB. That wasn't what ended up getting him nabbed, but it was enough to start the ball rolling and get them sniffing around.
-
Protip: Don't login to your facebook.
Somebody got nabbed over on OVDB for logging into their personal email while in a tor session on OVDB. That wasn't what ended up getting him nabbed, but it was enough to start the ball rolling and get them sniffing around.
ugh -.-
-
yeah that's about it. It was the mail intercepts coupled with the guy's woman rolling over on him that really did it though... but the email login is what started the whole ball rolling (many months before the actual bust, I might add).
Interestingly, they couldn't and didn't even touch him over any of the internet stuff, because even they admitted Tor is virtually impossible to prosecute and prove guilt when it's involved. They got him on receiving, manufacturing, selling/distribution, and shipping out, but nothing to do with the internet.
-
Maybe I'm missing something here, but that doesn't seem to make sense.
I mean, how was the OVDB session IDed?
Wouldn't you have to break into OVDB server (which I don't think happened), have logs of IP addresses that connected and a timestamp, and then compare the same with all the popular email companies, gmail/hotmail et al?
-
It wasn't an ovdb session that was logged, it was a clear-net forum he was on if I remember correctly. I have to go back and re-read all of the case notes because it's pretty hazy now and this was about 4-5 months ago I was reading all of this stuff.
It was real life logistical and personal issues that got him nailed in the end, not his online operations. Sellers need to remember to keep up brick and mortar security tight as hell, because that's where they are going to get you. Even a few of the sellers that got taken down on here in the early days were the result of stupidity in the real world, and nothing to do with SR.
-
Dont use clearnet with TOR for any private things, especcialy not logins. Assume ppl are watching that traffic.
Try setup TOR as an exit-node and wireshark with a http-post-request filter and leave it over night and you'll get alot of passwords.. mostly chinese webmails
The traffic thru TOR on the normal internet is easily intercepted, expect LE and criminals to have their own nodes for hijacking and analyzing traffic.. its not safe
afaik the internal tor-network (.onion) is secure though, also clearnet sites over https:// is pretty safe
-
Dont use clearnet with TOR for any private things, especcialy not logins. Assume ppl are watching that traffic.
Try setup TOR as an exit-node and wireshark with a http-post-request filter and leave it over night and you'll get alot of passwords.. mostly chinese webmails
The traffic thru TOR on the normal internet is easily intercepted, expect LE and criminals to have their own nodes for hijacking and analyzing traffic.. its not safe
afaik the internal tor-network (.onion) is secure though, also clearnet sites over https:// is pretty safe
I have been meaning to ask one of the more security-pro members on here. Is https-everywhere actually good to run over Tor, and if it is, does it actually work on clearnet sites while you are running a Tor session? (even if you are only surfing clearnet, not alongside .onion activity)
-
Protip: Don't login to your facebook.
Somebody got nabbed over on OVDB for logging into their personal email while in a tor session on OVDB. That wasn't what ended up getting him nabbed, but it was enough to start the ball rolling and get them sniffing around.
First I have heard of this and also certainly not true since hidden services use a dedicated circuit (plus there is no exit node)
show docs or it didn't happen
-
I have been meaning to ask one of the more security-pro members on here. Is https-everywhere actually good to run over Tor, and if it is, does it actually work on clearnet sites while you are running a Tor session? (even if you are only surfing clearnet, not alongside .onion activity)
HTTPS Everywhere augments security when accessing the clearnet through Tor. It doesn't provide any additional security for accessing hidden services.
-
I have been meaning to ask one of the more security-pro members on here. Is https-everywhere actually good to run over Tor, and if it is, does it actually work on clearnet sites while you are running a Tor session? (even if you are only surfing clearnet, not alongside .onion activity)
HTTPS Everywhere augments security when accessing the clearnet through Tor. It doesn't provide any additional security for accessing hidden services.
Thanks, Spedly :) Bonus gram next time you order from me, just flip me a PM to remind me.
-
so anyone hosting a tor exit node can use traffic analyzers to scrape login credentials from even .onion layer sites?
-
so anyone hosting a tor exit node can use traffic analyzers to scrape login credentials from even .onion layer sites?
Clearnet sites, yes, unless HTTPS is in use. Onion sites, no, even if HTTPS is *not* in use.
-
Protip: Don't login to your facebook.
Somebody got nabbed over on OVDB for logging into their personal email while in a tor session on OVDB. That wasn't what ended up getting him nabbed, but it was enough to start the ball rolling and get them sniffing around.
Interesting. Where did you hear about this from?
-
I have been meaning to ask one of the more security-pro members on here. Is https-everywhere actually good to run over Tor, and if it is, does it actually work on clearnet sites while you are running a Tor session? (even if you are only surfing clearnet, not alongside .onion activity)
HTTPS Everywhere augments security when accessing the clearnet through Tor. It doesn't provide any additional security for accessing hidden services.
Thanks, Spedly :) Bonus gram next time you order from me, just flip me a PM to remind me.
LOL awesome thank you Anarcho47! :)
-
I can't find the link to the Tails site that referenced a very similar vulnerability, but, from memory, here's the summary of what was written: If you have multiple tabs open in your browser and are using an exit node that's being monitored, then the sites you are accessing can be used to correlate who you are.
Let's say you have your Intersango.com account open in one tab & open another tab to check your email. Then a correlation can be made between the name on the email account & the Intersango.com connection. So, even if you used a fake name on your Intersango account & only accessed that account via Tor, the people doing the monitoring can guess who actually owns that Intersango account.
From what I remember from this Tails document, the suggestion was made to actually close your browser entirely before going to another site, just to be safe.
-
I can't find the link to the Tails site that referenced a very similar vulnerability, but, from memory, here's the summary of what was written: If you have multiple tabs open in your browser and are using an exit node that's being monitored, then the sites you are accessing can be used to correlate who you are.
Let's say you have your Intersango.com account open in one tab & open another tab to check your email. Then a correlation can be made between the name on the email account & the Intersango.com connection. So, even if you used a fake name on your Intersango account & only accessed that account via Tor, the people doing the monitoring can guess who actually owns that Intersango account.
From what I remember from this Tails document, the suggestion was made to actually close your browser entirely before going to another site, just to be safe.
So just to get this straight, you're fine using tor (multiple tabs, clearnet, etc..) as long as you aren't concurrently going to sites that implicate you or your personal info directly?
How would they associate two connections to one person being that an exit node, presumably, has many people's traffic passing through it?
In your example- CaptainSensible - you mention email. Does that mean everyday email? Or is going to your tormail and SR in the same browser in some way compromising your security?
Edit: Also, using an everyday browser and apps like bittorent without tor connections, while also at the same time browsing SR on tor is still perfectly safe, correct?
-
The solution seems easy enough - if you're going to access two websites with accounts that you don't want to be associated to each other (let's say Intersango and e-mail), just access intersango in your regular browser and your e-mail in another browser that sin't routing its traffic through Tor.
-
So just to get this straight,
I'm not a TOR expert, but I think these are the answers:
> you're fine using tor (multiple tabs, clearnet, etc..) as long as you aren't concurrently going to sites that implicate you or your personal info directly?
Yes
> How would they associate two connections to one person being that an exit node, presumably, has many people's traffic passing through it?
I think a TOR node switches it's IP address every 10 minutes. So for a 10 minute window, you could be on a website anonymously in one tab, but if you open another tab and login to your clearweb email out of habit, then if the exit node is compromised/unfriendly they could now match a timestamp + IP address (anonymous) to an identical timestamp + IP address with you clearnet email login (not anonymous). The equivalence relationship implies it's the same person.
In practice, I don't think it's anything like this straightforward though. I think there's mixing services and stuff or something.
> Or is going to your tormail and SR in the same browser in some way compromising your security?
No. But if you are using your real identity e.g. name, address etc in your TORmail, then Yes. (assuming TORmail is itself compromised)
> Also, using an everyday browser and apps like bittorent without tor connections, while also at the same time browsing SR on tor is still perfectly safe, correct?
Yes I think so. It's that BitTorrent traffic is high volume in comparison to hidden service traffic and really stands out in traffic analysis, which is why it's never advisable to use TOR with the BitTorrent protocol and better to use it on clearnet.
Anybody disagree, CapSensible?
-
Pine, my understanding is that a malicious Tor exit node can decode the traffic sent between the server and the client. However, because there are so many hops between the client and the server, it's extremely difficult to trace it back to the original IP. It's possible, but it's very sophisticated. VPN and public Wi-Fi hot spots are compensating controls.
-
@Spedly - from what I've read you are correct. To the best of my knowledge in studying illicits charges for internet activity, there has never actually been a successful prosecution of anything regarding Tor itself (backtracing IP, etc.), only stupid mistakes like logging onto a personal email that is usually accessed with your regular IP on clearnet.
I don't think any prosecutor on earth would be crazy enough to try to push an actual Tor case through court, especially for a jury trial. I would love to see it attempted, if only for the lulz... ;)
-
Pine, my understanding is that a malicious Tor exit node can decode the traffic sent between the server and the client. However, because there are so many hops between the client and the server, it's extremely difficult to trace it back to the original IP. It's possible, but it's very sophisticated. VPN and public Wi-Fi hot spots are compensating controls.
Must do moar research to get a firmer handle on this stuff. I keep looking for a nice reference book on TOR, but none seem to exist -.-
Also; computer illiterate lawyers FTW!
-
So just to get this straight,
I'm not a TOR expert, but I think these are the answers:
> you're fine using tor (multiple tabs, clearnet, etc..) as long as you aren't concurrently going to sites that implicate you or your personal info directly?
Yes
> How would they associate two connections to one person being that an exit node, presumably, has many people's traffic passing through it?
I think a TOR node switches it's IP address every 10 minutes. So for a 10 minute window, you could be on a website anonymously in one tab, but if you open another tab and login to your clearweb email out of habit, then if the exit node is compromised/unfriendly they could now match a timestamp + IP address (anonymous) to an identical timestamp + IP address with you clearnet email login (not anonymous). The equivalence relationship implies it's the same person.
In practice, I don't think it's anything like this straightforward though. I think there's mixing services and stuff or something.
> Or is going to your tormail and SR in the same browser in some way compromising your security?
No. But if you are using your real identity e.g. name, address etc in your TORmail, then Yes. (assuming TORmail is itself compromised)
> Also, using an everyday browser and apps like bittorent without tor connections, while also at the same time browsing SR on tor is still perfectly safe, correct?
Yes I think so. It's that BitTorrent traffic is high volume in comparison to hidden service traffic and really stands out in traffic analysis, which is why it's never advisable to use TOR with the BitTorrent protocol and better to use it on clearnet.
Anybody disagree, CapSensible?
Got it. I guess i had been operating under these assumptions but only in the hope really that this was true. In retrospect I, or all of us rather, should have made a list of all the things we were unsure of as a noob and searched/posted them all out before setting off but hey, that's the crazy, exciting prospect of the capacity of being a member at silk road for ya.
Cheers pine- again actually. :) Wish i could grab a cup of coffee with some of you guys and pick your brains.
-
I can't find the link to the Tails site that referenced a very similar vulnerability, but, from memory, here's the summary of what was written: If you have multiple tabs open in your browser and are using an exit node that's being monitored, then the sites you are accessing can be used to correlate who you are.
Let's say you have your Intersango.com account open in one tab & open another tab to check your email. Then a correlation can be made between the name on the email account & the Intersango.com connection. So, even if you used a fake name on your Intersango account & only accessed that account via Tor, the people doing the monitoring can guess who actually owns that Intersango account.
From what I remember from this Tails document, the suggestion was made to actually close your browser entirely before going to another site, just to be safe.
So just to get this straight, you're fine using tor (multiple tabs, clearnet, etc..) as long as you aren't concurrently going to sites that implicate you or your personal info directly?
How would they associate two connections to one person being that an exit node, presumably, has many people's traffic passing through it?
In your example- CaptainSensible - you mention email. Does that mean everyday email? Or is going to your tormail and SR in the same browser in some way compromising your security?
Edit: Also, using an everyday browser and apps like bittorent without tor connections, while also at the same time browsing SR on tor is still perfectly safe, correct?
Exit node can link data from the same circuit together. If you are browsing two sites via the same circuit via the same exit node, it can determine the same person is visiting both of those sites. If one of those sites is your personal facebook you are fucked. Here read this:
www.mpi-sws.org/~stevens/pubs/leet11.pdf
They deanonymize P2P users via the DHT and then they also determine all of their non P2P traffic going down the same circuit by linking it together at the malicious exit node. They deanonymized 10,000 Tor circuits this way, including *everything* being loaded through the circuits not just the P2P traffic.
-
Pine, my understanding is that a malicious Tor exit node can decode the traffic sent between the server and the client. However, because there are so many hops between the client and the server, it's extremely difficult to trace it back to the original IP. It's possible, but it's very sophisticated. VPN and public Wi-Fi hot spots are compensating controls.
Must do moar research to get a firmer handle on this stuff. I keep looking for a nice reference book on TOR, but none seem to exist -.-
Also; computer illiterate lawyers FTW!
I gave you a link to freehaven.net bibliography and you said it was too academic for you :(. I will let you know when the Tor pop up book comes out ;). (JK you are cool, just joking with you :D)
BTW it is Tor not TOR. It is no longer considered to be an acronym for The Onion Router, and actually many experts would argue that it isn't even an onion router (although pretty much everyone still calls it one).
Onion Routing involves layer encrypting data using the public keys of many nodes, the final ciphertext block is called an onion. Then the block is routed around by nodes, which are onion routers, each removing a layer. Tor builds telescoping encrypted tunnels through a series of nodes and then routes the data through this multi-layered tunnel. You could argue that this is largely a different way to describe pretty much the same thing, but there are fundamental differences. Also you could argue that any layer encryption based routing system is onion routing, but I2P calls their system garlic routing ;P.
Freenet takes single layer encrypted ciphertext blocks and routes them through series of single layer encrypted tunnels. I dunno what they call their technique.
-
I gave you a link to freehaven.net bibliography and you said it was too academic for you :(. I will let you know when the Tor pop up book comes out ;). (JK you are cool, just joking with you :D)
Ha! I always knew you were a greatly evil mammal of great evilness! ;)
Have a look gentlefolks, this is what he wanted me to read:
http://freehaven.net/anonbib/date.html
Approximately 300 computer science whitepapers, most of which are hundreds of pages long!
I actually read very fast, I taught myself to speed-read at an early age. I read approximately 300 books of all kinds per year. My reading comprehension is likely higher than the majority of English speaking people, yet it will still take me a year of non-stop reading to accomplish reading all that material!
So, in addition to the activities of an international drug smuggler, I have to moonlight as a computer science researcher. In a decade I'd probably hang up my day job and retire, and then drop by the office to collect my Turing Prize from Donald Knuth! :D
I must resist your relentless educational assault and pick up a copy of TOR for dummies somewhere. I'm about 3/4 of the way through all the material that yourself and QTC has been disseminating, and I'll be able to publish my notes on here for the good of the community/kudos etc
No more work! I'm also trying to begin the first drafts of my 'Silk Road' for Dummies book. Poor pine is all overworked already -.-' :P
BTW it is Tor not TOR. It is no longer considered to be an acronym for The Onion Router, and actually many experts would argue that it isn't even an onion router (although pretty much everyone still calls it one).
Onion Routing involves layer encrypting data using the public keys of many nodes, the final ciphertext block is called an onion. Then the block is routed around by nodes, which are onion routers, each removing a layer. Tor builds telescoping encrypted tunnels through a series of nodes and then routes the data through this multi-layered tunnel. You could argue that this is largely a different way to describe pretty much the same thing, but there are fundamental differences. Also you could argue that any layer encryption based routing system is onion routing, but I2P calls their system garlic routing ;P.
Freenet takes single layer encrypted ciphertext blocks and routes them through series of single layer encrypted tunnels. I dunno what they call their technique.
Yeah, --> what he said!
-
I don't think any prosecutor on earth would be crazy enough to try to push an actual Tor case through court, especially for a jury trial. I would love to see it attempted, if only for the lulz... ;)
if it would go anything like that recent truecrypt case then I'd love to see it too...
Although they were unable to find any files, McCrohan testified that they believed that data existed on the still-encrypted parts of the hard drive. In support of this belief, the Government introduced an exhibit with nonsensical characters and numbers, which it argued revealed the encrypted form of data that it seeks.
-
Have a look gentlefolks, this is what he wanted me to read:
http://freehaven.net/anonbib/date.html
Approximately 300 computer science whitepapers, most of which are hundreds of pages long!
I actually read very fast, I taught myself to speed-read at an early age. I read approximately 300 books of all kinds per year. My reading comprehension is likely higher than the majority of English speaking people, yet it will still take me a year of non-stop reading to accomplish reading all that material!
So, in addition to the activities of an international drug smuggler, I have to moonlight as a computer science researcher. In a decade I'd probably hang up my day job and retire, and then drop by the office to collect my Turing Prize from Donald Knuth! :D
I must resist your relentless educational assault and pick up a copy of TOR for dummies somewhere. I'm about 3/4 of the way through all the material that yourself and QTC has been disseminating, and I'll be able to publish my notes on here for the good of the community/kudos etc
No more work! I'm also trying to begin the first drafts of my 'Silk Road' for Dummies book. Poor pine is all overworked already -.-' :P
lol you need to relax bro. ;D At least I limit my whitepaper consumption to the workweek. :P
and kewm I will hit you back about that interception detection stuff soon. I just gotta get trippy and head down to the lab first. getting spun and building shit is fun :-p
-
My understanding of .onions is that they act like their own exit node to the .onions server and the traffic never leaves the Tor network. Is it still possible to link .onion traffic and clearnet traffic together if used alongside each other?
-
It wasn't an ovdb session that was logged, it was a clear-net forum he was on if I remember correctly. I have to go back and re-read all of the case notes because it's pretty hazy now and this was about 4-5 months ago I was reading all of this stuff.
It was real life logistical and personal issues that got him nailed in the end, not his online operations. Sellers need to remember to keep up brick and mortar security tight as hell, because that's where they are going to get you. Even a few of the sellers that got taken down on here in the early days were the result of stupidity in the real world, and nothing to do with SR.
Please shed as much light as you can about this situation.
PLEASE find those case notes!
Information like this is very valuable