Silk Road forums
Discussion => Security => Topic started by: JindaByne on November 28, 2012, 04:23 pm
-
Im having trouble understanding exactly at what point you would become vulnerable to a man-in-the-middle attack?
Can it happen when you downoad the tor browser bundle? when you download tails or liberte? when you sign in to SR? How do I know I'm in the real SR? I've been using the URL from Gwern's site.
What are ways of identfying whether or not you are currently involved in one? Or how can you take precautions to be absolutely 100% sure you are clear of one? I have done some reading and understand that you should verify the signing keys and check certificates for websites but I still don't feel fully comfortable after doing that...
Today, after booting tails, it informed me version 0.15 was now available and I should upgrade right away but when I tried to verify the signing key it said "no data available". This made me worry. Is there actually a tails version 0.15 out right now? can someone confirm that? and am I verifying the signing key wrong? What are the chance of a man in the middle attack happening for just a small personal buyer?
-
A man-in-the-middle attack happens when you try to download something from a website, but a third party (the man in the middle) messes with information. For example by sending you corrupted software.
If you are a new Silk Road user (and you are not in a country like Iran, Syria, China, or North Korea), then it's not something you really have to worry about for now.
If you want to be really sure, you can check the PGP signature of the files you download (for example the Tor browser bundle or of your TrueCrypt software). However to do that, you need to import the public key of the person who signs those, otherwise you get an error.
The correct Silk Road URL is: silkroadvb5piz3r.onion
-
Thanks for your response.
I have Tails (even though now it's asking me to upgrade : \) I use PGP, Im using the Tor Button, yet for some reason I feel like I'm missing someting. I've been on here for months now and just can't seem to place that first order...
-
For people who don't know wtf you're talking about (things are pretty scary when you don't have a clue how bad they really are, and I'm bored anyway, so skip a few paragraphs down for your answer):
Man in the Middle attacks are pretty insidious. It's probably good to remember that some Tor exit nodes deliberately sit and monitor for traffic and run automated cracking tools to steal whatever credentials they can get their hands on (exit nodes are the only route out of the Tor network, and since the entire internet is outside of the Tor network, you have to use at least one of them if you go outside of SR).
When you connect to a banking site or something, basically what we do here with PGP happens automatically. Not identical, but it's just another public key cryptography algorithm more or less -- same as address encryption. A MitM attack works by tricking you into thinking you're connecting to the banking website so that you encrypt everything with the attacker's key. That way he can decrypt it and see all of your data plain as day. He also connects to the real web site and sets up another encrypted data stream, so that the real web site thinks it's talking to your computer. So he can decrypt everything, see everything, and just keeps snooping and then re-encrypting so it all looks legit to both sides.
That's actually the same thing Tor and just about any proxy does. They're just man-in-the-middle attacks that are helpful.
There's no good defense against this. Well I mean there is, but... I don't know of any for a single home desktop. That's what all the certificates that web sites and servers use are for. They "prove" that the computer you're talking to is really who it says it is. That's not impossible to fake, either, but it's at least good enough to stop your everyday asshole who doesn't understand the cracking programs he uses.
So, anyway... are you talking about the checksum file that you can usually get for a given archive? Because I don't think you use gpg to verify those... but honestly I never bother, sooo... I might be steering you wrong there. "No data available" sounds to me like you don't actually have the public key of the person who signed the archive, so you have no way of verifying that they signed it correctly. Only a private key can sign an archive to prove it came from that person. In that case you use the public key to verify it (the opposite of usual encrypting w/ the public key & decrypting with the private one).
Is that what you're missing, or are you talking about something else...?
-
Oh, I should point out: the way the Tor network encrypts things in layers all the way through to hidden services makes it impossible to perform a man in the middle attack effectively. All they'd get is more encrypted data after they decrypted it -- maybe that'll put you at ease. If you're not on the clear net, I don't know of any way they can intercept what you send back & forth. Never heard of one, but I'm not a hacker, so that doesn't mean it doesn't exist. Just so rare you don't have to worry about it, even if it is out there :)
-
Thanks, that was helpful information. I'd give you karma if I bloody well knew how.
I, like many, am just having some first-time-buyer anxiety. Like I said I'm in Tails, using Tor Button, using PGP, I recieved my bitcoins in this way (bank deposit->blochchain->instawallet1->instawallet2->1/3instawallet3->2/3instawallet5->SR). Everytime I go to place an order I just have the worst case scenario flash through me brain. haha
thanks again for putting me slightly more at ease!
-
No worries; I'm a strange combination of junkie and computer geek, so I like this stuff. It's fun sometimes :) Glad I could help. And don't forget, they can't see you ordering something. They can see the thousands of people who are using Tor at the moment, but they don't have nearly enough manpower to single you out. Now if your package gets identified by a drug dog (almost never happens, like seriously almost never if you stay away from express shipping), then they care & will probably try to arrest you.
Stealth is important, though, dont' let me make you too comfy or anything. I once had a package arrive ripped open with the contents & ripped envelope in a clear plastic "sorry for the damage" baggie. I nearly dropped dead when I realized what I was pulling out of my mailbox. The vendor did a good job though, and I'm still here even after they saw my drugs fall out at their feet... :)
Just saying it happens. Go ahead and order, you'll be fine -- but order from somebody who bothers to keep you safe & coming back to pay more money :)
-
Yeah Same here.
-
Thanks for your response.
I have Tails (even though now it's asking me to upgrade : \) I use PGP, Im using the Tor Button, yet for some reason I feel like I'm missing someting. I've been on here for months now and just can't seem to place that first order...
If your drug of choice happens to be cannabis please let me know & I'll point you in the direction of a couple of vendors who don't mind helping newbies (no disrespect intended, I'm a newbie too).
There's also a PGP club here on the forums which might help you get more comfortable with PGP - you can find a partner to practice with no problem ...
Good luck & welcome to SR!
-
No, no cannibis. And I appreciate your consideration but I feel comfortable with PGP, thats not the issue. I was just curious at which point would you put yourself at risk of a MITM attack and how to be confident that your not in the middle of one! SelfSoveriegnty def made me feel better.
-
MITM attacks with tor happen when you connect through exit points, and that node decides to feed you spoofed ssl certs or is running sslstrip. This is why when you download software off torproject.org you check the signature to make sure it matches with the real torproject dev signing key
-
MITM attacks with tor happen when you connect through exit points, and that node decides to feed you spoofed ssl certs or is running sslstrip. This is why when you download software off torproject.org you check the signature to make sure it matches with the real torproject dev signing key
Holy fucking Christ, I can't believe I've been stupid enough not to be doing that... wtf man. I could practically RUN that attack myself, and in almost 6 months not once did it ever occur to me. I feel fucking retarded...
Thanks bro. Good to keep in mind.