Silk Road forums
Discussion => Security => Topic started by: pine on March 03, 2012, 07:09 pm
-
Hi all,
I've just noticed that when you load a page such as this:
http://dkn255hz262ypmii.onion/index.php?topic=13973.msg135199;boardseen#new
for a brief instant we are connected to
status.icq.com
opi.yahoo.com
Reload the page and check the status bar of your browser to see it flash by.
Naturally, we are behind TOR whatever happens, but this is a bit unsettling. I didn't ask to be connected to Yahoo or MSN servers.
I don't think people should be allowed to have things like AOL/Yahoo instant messenger etc etc. It seems too insecure on a lot of levels. Even if they are, it shouldn't mean every forum user makes a connection to their servers just because one person in a thread is using the service.
We come here for the forums/private chat, if we want to exchange emails outside of that then there is always TORmail or something similar. Using any kind of yahoo and MSN instant messenger functionality seems insane, even if it is Torified and you setup your yahoo/msn account through TOR explicitly for this purpose (which I doubt).
-
I'm running Liberte Linux from a USB drive & I don't see those messages. What are you using to connect to the Tor network?
-
I'm running Liberte Linux from a USB drive & I don't see those messages. What are you using to connect to the Tor network?
Tor Bundle
-
I think if people fill out the IM fields in their profile, it will hit those servers to check for online/offline status. So yeah, those profile fields should be disabled probably. I doubt there is any security risk though, just slows things down a bit.
-
I do not have that happening in my browser either. Plus no Tor circuit is opened to those servers.
-
If you look at the page source, you'll see what's up. I can imagine that scared the shit out of you for a second.
(Kewm, check out the page she was referencing, you'll see it then.)
-
I'm running Liberte Linux from a USB drive & I don't see those messages. What are you using to connect to the Tor network?
Tor Bundle
I gave up on the Tor Browser Bundle for Windows last year. Too many weird messages & I never really knew what the TBB might be saving to my hard drive. Get a cheap 2 gig USB drive & install Liberte Linux or Tails. You'll sleep better at night.
-
Yeah it happpens on some pages I just realized. I tried loading a random SR page and didn't see it, but then using the one Pine suggested it happpened. It also opened a Tor circuit to those pages. It is happening because the icons displayed are hotlinked from those servers. This opens substantial anonymity and security holes and should be immediately taken care of. For one you are exiting the Tor network when you load those pages, and getting all the risk that comes with that. For two even if you assume that the SR hidden service can not be traced and monitored, I bet AIM and ICQ will hand over their server logs, so if feds own your entry guard they could correlate your entry traffic with AIM / ICQ server logs of Tor exits that loaded those images, to deanonymize people without actually watching traffic arrive at the SR server.
Also you might end up opening those hotlinked images via a circuit you are using for other things, and end up linking your actions together (for example maybe you were talking in an IRC when you loaded that forum page, and the hotlinked icons were loaded through the same circuit that you were using for IRC. Now your presence on that IRC server is linked to your activity on SR.)
-
I'm running Liberte Linux from a USB drive & I don't see those messages. What are you using to connect to the Tor network?
Tor Bundle
I gave up on the Tor Browser Bundle for Windows last year. Too many weird messages & I never really knew what the TBB might be saving to my hard drive. Get a cheap 2 gig USB drive & install Liberte Linux or Tails. You'll sleep better at night.
I agree, which is why today is the last time I'm connecting without using Liberte. I had to delay setting it up, because I had some hard drives to destory, but that's not going to be an issue in about 60 minutes :D
-
Yeah it happpens on some pages I just realized. I tried loading a random SR page and didn't see it, but then using the one Pine suggested it happpened. It also opened a Tor circuit to those pages. This presents at least the same anonymity issues as allowing hotlinking of images does and should be disabled ASAP.
edit: Actually the issue is hotlinking of images.
Ugh :o
I'll send a PM to the mods to see if they can sort it out.
Even if hotlinking weren't an issue at all, there is plenty of security risk from the point of view of the poster who uses these services.
-
Yes technically those links exit the tor network through an exit node but there is no risk to you, no more than visiting any other clearnet site via tor. Even if they contain an HTTP referrer header would it matter? Might bug the exit node operator, I dunno...
But yes it should be taken care of and everyone should double-check their profile to ensure those fields are not filled out.
-
On it, let me fix that if possible.
~Digi
-
Should be fixed now.
~Digi
-
Should be fixed now.
~Digi
Awesome, thanks 8)
-
Should be fixed now.
~Digi
<3
He's fuckin on it! Thanks DigitalAlch
-
I wondered about that.. ICQ isn't anonoymous