Silk Road forums
Discussion => Silk Road discussion => Topic started by: zepequeno on August 28, 2011, 02:05 am
-
Hello,
i installed tor on my iphone, i arrive on the site but impossible to log in.
Somebody did it ?
Thx
-
Cara, isso é realmente necessário?
-
Hello,
i installed tor on my iphone, i arrive on the site but impossible to log in.
Somebody did it ?
Thx
Hello,
Did you get this from Cydia or online?
Please don't use TOR on your Apple device.
Having worked for them for a bit -
they'll collect every piece of info and bust you in no time.
Your network is either ATT/Verizon - and if not- nonetheless - your network is NOT YOURS.
My network is not mine either, but when i use tor i proxy twice and boot off a live instance.
Using a portable device with it's own OS you cannot even get into is risky.
I am STRONGLY against mobile access to Tor.
More holes for LE to peek in.
L/7/5
-
I provide a service that is the safest fastest and most convenient way to use SR on your mobile. I stand by my service and would be happy to discuss how it works and compares to some other solutions for that as well as the ramifications of each or any. I also professionally develop Andriod and iOS apps.
It makes people uneasy, but people want to do this, (get on SR from their mobile.) Tell yer kid he can't smoke weed and he'll just sneak around in shadier situations to make it happen, am I right? Let's discuss the trade-offs of different policies in different situations so more people have thought out more scenarios. I think that is how to protect the community.
Am I going to tell you there are no risks to take into consideration? Certainly not. Security and convenience are inherently at odds with eachother. Security is obviously more important to most of us here. Sure we'd all feel much safer if everyone only logged in from their mother-in-law's basement, browsed only with an OpenBSD+TRESOR system, and stood up to interrogation techniques like Jack Bauer. You guys can get mad when n00bs ask about their iThings but do you think that discourages them and thus you are safer? Maybe that one guy gives up on the idea out of fear thanks to your warning but you haven't really taught him anything and the curious and enamored are going to keep coming asking for it.
Most of us have a suspicion and distrust of most large establishments. Apple is a popular target of paranoid contempt. Rightly so? Sure. But what about Microsoft? Symantec? Trend Micro? The list is practically endless All of them are in positions to violate so many n00bs and therefore us. The reason SR is great is that the model holds up well in the case of partial breach. Of course this place is already crawling with LE. We must remain cognizant and diligent. There are digital networking risks and physical risks to using a portable unencrypted device with a proprietary operating system.
Your iPhone is tracking your location. That is all. Apple does not send anything about your browsing activity off device except of course the traffic itself. AT&T cannot eavesdrop on anything you send to a secure site. The government and plenty of others in positions to abuse power could, if they set up an authorized man-in-the middle attack. They have to be on to you and set that up in advance and not just call AT&T after-the-fact. That is because of the flawed SSL CA model and you can alleviate that by checking certificate fingerprints manually against a copy you received from a side-channel.
Tor does not rely on SSL at all. There are no CA's to betray your trust but that is the simple reason for the gobbeldygook.onion names. (it IS the fingerprint.) You can never set your tor hidden site up at a human-memorable name of your choosing. Tor is slow enough on Verizon FiOS how do you think it performs over 3G or GPRS? Like garbage, that's how. My service handles the tor while what you are doing is connecting to a server of mine via SSL. It is not technically much different from gateways like web2tor except it's not free and bogged down and you are connecting to a random legitimate business's highly secure server and slipping in with gobs of legitimate traffic. Both web2tor and tor installed on your phone will still allow your network operators to see you are on the tor, even if they can't see what you're up to. With my service they will even be totally unaware that you are even using tor.
If you do use any gateway such as mine to get on SR, you are trusting the operator because he could evesdrop or even withdraw your BTC. I will not. Can you trust me? I assure you. Do I expect you to? Not really. I made it for myself in an afternoon, if it helps anyone else out, great! I'd be happy to give anyone the source to run it themselves for free if they have the inclination. It's not hard and it runs on any OS supported by tor and apache. it's not a new actual program its all in the configuration of apache and tor/polipo
-
I provide a service that is the safest fastest and most convenient way to use SR on your mobile. I stand by my service and would be happy to discuss how it works and compares to some other solutions for that as well as the ramifications of each or any. I also professionally develop Andriod and iOS apps.
It makes people uneasy, but people want to do this, (get on SR from their mobile.) Tell yer kid he can't smoke weed and he'll just sneak around in shadier situations to make it happen, am I right? Let's discuss the trade-offs of different policies in different situations so more people have thought out more scenarios. I think that is how to protect the community.
Am I going to tell you there are no risks to take into consideration? Certainly not. Security and convenience are inherently at odds with eachother. Security is obviously more important to most of us here. Sure we'd all feel much safer if everyone only logged in from their mother-in-law's basement, browsed only with an OpenBSD+TRESOR system, and stood up to interrogation techniques like Jack Bauer. You guys can get mad when n00bs ask about their iThings but do you think that discourages them and thus you are safer? Maybe that one guy gives up on the idea out of fear thanks to your warning but you haven't really taught him anything and the curious and enamored are going to keep coming asking for it.
Most of us have a suspicion and distrust of most large establishments. Apple is a popular target of paranoid contempt. Rightly so? Sure. But what about Microsoft? Symantec? Trend Micro? The list is practically endless All of them are in positions to violate so many n00bs and therefore us. The reason SR is great is that the model holds up well in the case of partial breach. Of course this place is already crawling with LE. We must remain cognizant and diligent. There are digital networking risks and physical risks to using a portable unencrypted device with a proprietary operating system.
Your iPhone is tracking your location. That is all. Apple does not send anything about your browsing activity off device except of course the traffic itself. AT&T cannot eavesdrop on anything you send to a secure site. The government and plenty of others in positions to abuse power could, if they set up an authorized man-in-the middle attack. They have to be on to you and set that up in advance and not just call AT&T after-the-fact. That is because of the flawed SSL CA model and you can alleviate that by checking certificate fingerprints manually against a copy you received from a side-channel.
Tor does not rely on SSL at all. There are no CA's to betray your trust but that is the simple reason for the gobbeldygook.onion names. (it IS the fingerprint.) You can never set your tor hidden site up at a human-memorable name of your choosing. Tor is slow enough on Verizon FiOS how do you think it performs over 3G or GPRS? Like garbage, that's how. My service handles the tor while what you are doing is connecting to a server of mine via SSL. It is not technically much different from gateways like web2tor except it's not free and bogged down and you are connecting to a random legitimate business's highly secure server and slipping in with gobs of legitimate traffic. Both web2tor and tor installed on your phone will still allow your network operators to see you are on the tor, even if they can't see what you're up to. With my service they will even be totally unaware that you are even using tor.
If you do use any gateway such as mine to get on SR, you are trusting the operator because he could evesdrop or even withdraw your BTC. I will not. Can you trust me? I assure you. Do I expect you to? Not really. I made it for myself in an afternoon, if it helps anyone else out, great! I'd be happy to give anyone the source to run it themselves for free if they have the inclination. It's not hard and it runs on any OS supported by tor and apache. it's not a new actual program its all in the configuration of apache and tor/polipo
+1
bump bump
damn, son! you've done your homework. my concern is with running any local, hard OS is logging. But you seem to have that covered.
Your service looks well put together, but using your gateway? :) Yes, I'd have to trust you. Should I? Maybe :). I would personally use my own SSL/Gateway. I mean I have access to many but some may not.
You are looking out for the community and you are quite intelligent!
L75
-
This is the configuration I use with Apache 2.2, some standard modules and a third party one, mod_proxy_html. Tor and polipo are installed on the server as well to make this work of course. I hope anyone finds this useful or has anything to add or share. Starting with a basic sample configuration from mod_proxy_html added to an SSL-enabled Apache vhost, I added:
SetOutputFilter INFLATE;DEFLATE
ProxyRemote * http://localhost:8118
ProxyRequests Off
<Location /sr/>
UseCanonicalName On
UseCanonicalPhysicalPort On
ProxyHTMLEnable On
ProxyPass http://ianxz6zefk72ulzz.onion/
ProxyPassReverse http://ianxz6zefk72ulzz.onion/
ProxyPassReverseCookieDomain ianxz6zefk72ulzz.onion myhostname.tld
ProxyPassReverseCookiePath / /sr/
ProxyHTMLURLMap http://www.dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://www.ianxz6zefk72ulzz.onion https://myhostname.tld/sr/
ProxyHTMLURLMap http://ianxz6zefk72ulzz.onion https://myhostname.tld/sr/
ProxyHTMLURLMap / https://myhostname.tld/sr/ e,c
</Location>
<Location /sr_forums/>
UseCanonicalName On
UseCanonicalPhysicalPort On
ProxyHTMLEnable On
ProxyPass http://dkn255hz262ypmii.onion/
ProxyPassReverse http://dkn255hz262ypmii.onion/
ProxyPassReverseCookieDomain dkn255hz262ypmii.onion myhostname.tld
ProxyPassReverseCookiePath / /sr_forums/
ProxyHTMLExtended On
ProxyHTMLURLMap http://www.dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap / https://myhostname.tld/sr_forums/ e,c
</Location>
<Proxy *>
AuthType basic
AuthName "Password Required"
AuthUserFile "/path/to/etc/apache22/sr.proxy.htpass"
Require valid-user
</Proxy>
-
This is the configuration I use with Apache 2.2, some standard modules and a third party one, mod_proxy_html. Tor and polipo are installed on the server as well to make this work of course. I hope anyone finds this useful or has anything to add or share. Starting with a basic sample configuration from mod_proxy_html added to an SSL-enabled Apache vhost, I added:
SetOutputFilter INFLATE;DEFLATE
ProxyRemote * http://localhost:8118
ProxyRequests Off
<Location /sr/>
UseCanonicalName On
UseCanonicalPhysicalPort On
ProxyHTMLEnable On
ProxyPass http://ianxz6zefk72ulzz.onion/
ProxyPassReverse http://ianxz6zefk72ulzz.onion/
ProxyPassReverseCookieDomain ianxz6zefk72ulzz.onion myhostname.tld
ProxyPassReverseCookiePath / /sr/
ProxyHTMLURLMap http://www.dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://www.ianxz6zefk72ulzz.onion https://myhostname.tld/sr/
ProxyHTMLURLMap http://ianxz6zefk72ulzz.onion https://myhostname.tld/sr/
ProxyHTMLURLMap / https://myhostname.tld/sr/ e,c
</Location>
<Location /sr_forums/>
UseCanonicalName On
UseCanonicalPhysicalPort On
ProxyHTMLEnable On
ProxyPass http://dkn255hz262ypmii.onion/
ProxyPassReverse http://dkn255hz262ypmii.onion/
ProxyPassReverseCookieDomain dkn255hz262ypmii.onion myhostname.tld
ProxyPassReverseCookiePath / /sr_forums/
ProxyHTMLExtended On
ProxyHTMLURLMap http://www.dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap / https://myhostname.tld/sr_forums/ e,c
</Location>
<Proxy *>
AuthType basic
AuthName "Password Required"
AuthUserFile "/path/to/etc/apache22/sr.proxy.htpass"
Require valid-user
</Proxy>
+1
its so........
beautiful
L75
-
What about using your own WiFi network with an iPad? Is that safer?
-
I do not understand any of the technobabble. I use Orbot and Mozilla Firefox on my Nexus S to accrss SilkRoad I take it that's bad.
-
I do not understand any of the technobabble. I use Orbot and Mozilla Firefox on my Nexus S to accrss SilkRoad I take it that's bad.
If you are using Mozilla Firefox with your cell phone I hope you're at least using the Proxymob add-on ( https://guardianproject.info/apps/orbot/ ). Still even this add-on to Firefox doesn't provide all the anonymity you can get from Tor implementations made for a PC. If you must use your cell phone then root it and install Orweb as your browser, which is made to run through Orbot.
I'd stick with the Tor bundle on your PC, or better yet, create a Tails USB drive.
-
(rubs eyes and blinks) Did I just see a picture of Murray Rothbard????
The list of evil OS developers collecting everything they can forgot to mention Google, the maker of Android.
Anyway, I run Orbot rooted so it "transparently" proxys everything. You dont need Proxymob that way.
I use Firefox but it should proxy the stock browser too. At least that's what I'm told.
I still would never connect using the cell network. Only a wireless router.
I don't have as much tech knowledge as has been displayed here already.....but I'm always learning.
So I ask those who know....is my setup "safe"?
Is it actually doable to to root Orbot over 3G without instantly giving up your ID?
Even with a wifi do I need to shut off virtually everything else the phone is running for fear of a leak or is transparent proxying covering me? Like using a special profile set up or a custom ROM, which I haven't tried yet. Just stock with root access.
-
I still would never connect using the cell network. Only a wireless router.
I don't have as much tech knowledge as has been displayed here already.....but I'm always learning.
So I ask those who know....is my setup "safe"?
Connecting via wifi does not provide any more security than connecting over cellular. Whether it's AT&T 3G or Verizon FIOS service, all companies monitor all traffic. At lest you have to assume that if you're dealing on SR. The Wifi benefit is speed alone between the entry node and your device.
Pay attention here too because there's some mis-information on this thread. Connecting to Tor over your cell phone doesn't inherently create a slower experience. Once your bytes are inside the Tor network, being handed off from node to node, no one knows you're on a cell phone. Your traffic is being treated with the same priority as everyone else's. But your connection to the first node (the entry node) into the Tor network will be hampered. This is your only true bottleneck.
As far as proxying your data before it even gets onto the Tor network, the more obfuscation the better. Nothing is fool proof, but if you bounce your traffic before it even hits the first Tor entry node, you make it that much harder to follow your breadcrumb trail.
-
Hello,
i installed tor on my iphone, i arrive on the site but impossible to log in.
Somebody did it ?
Thx
Swim told me he can't log into SR either using his iDevice, but like you can get to the page no problem. Annoying. Post back if you find a work-around (that's not tor2web).
-
This is the configuration I use with Apache 2.2, some standard modules and a third party one, mod_proxy_html. Tor and polipo are installed on the server as well to make this work of course. I hope anyone finds this useful or has anything to add or share. Starting with a basic sample configuration from mod_proxy_html added to an SSL-enabled Apache vhost, I added:
SetOutputFilter INFLATE;DEFLATE
ProxyRemote * http://localhost:8118
ProxyRequests Off
<Location /sr/>
UseCanonicalName On
UseCanonicalPhysicalPort On
ProxyHTMLEnable On
ProxyPass http://ianxz6zefk72ulzz.onion/
ProxyPassReverse http://ianxz6zefk72ulzz.onion/
ProxyPassReverseCookieDomain ianxz6zefk72ulzz.onion myhostname.tld
ProxyPassReverseCookiePath / /sr/
ProxyHTMLURLMap http://www.dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://www.ianxz6zefk72ulzz.onion https://myhostname.tld/sr/
ProxyHTMLURLMap http://ianxz6zefk72ulzz.onion https://myhostname.tld/sr/
ProxyHTMLURLMap / https://myhostname.tld/sr/ e,c
</Location>
<Location /sr_forums/>
UseCanonicalName On
UseCanonicalPhysicalPort On
ProxyHTMLEnable On
ProxyPass http://dkn255hz262ypmii.onion/
ProxyPassReverse http://dkn255hz262ypmii.onion/
ProxyPassReverseCookieDomain dkn255hz262ypmii.onion myhostname.tld
ProxyPassReverseCookiePath / /sr_forums/
ProxyHTMLExtended On
ProxyHTMLURLMap http://www.dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap http://dkn255hz262ypmii.onion https://myhostname.tld/sr_forums/
ProxyHTMLURLMap / https://myhostname.tld/sr_forums/ e,c
</Location>
<Proxy *>
AuthType basic
AuthName "Password Required"
AuthUserFile "/path/to/etc/apache22/sr.proxy.htpass"
Require valid-user
</Proxy>
+1
its so........
beautiful
L75
YES, BEAUTIFUL! thank you for sharing. It brought a tear to my eye it did ;D
-
What about using your own WiFi network with an iPad? Is that safer?
Hahaha none of it's safe, right? :) Arguably, by some marginal amount, perhaps safer. How/where tor+ploipo are set up is much more important than wifi+cable vs 3G. There are so many other factors and the network itself is not a very important one. Every single network can be assumed to be under LE control.
There's no right way to use these devices. There's always a tradeoff and unknowns. In theory, I'd feel safer with all the software configured and working on the jailbroken iPad, but securing a jailbroken iPad is a whole 'nother ball of wax for another message board entirely. If you're on your home network and want to keep your iPad stock, you can run tor/polipo on your PC/Mac and direct your iPad through that. However, your wireless is then the weak link there because polipo and the browser, they talk unencrypted. Your wireless net better be locked down damn good. Don't forget you gave your neighbor the password too. Does he watch your traffic now? Even without the password, WPA2-P is magnitudes weaker than TLS (modern SSL) or each individual layer of the onion's encryption. (in my opinion anyway) but it's seldom just a case of stronger vs weaker. "Attack vectors" can be different. ie. TLS is strong and saddled with a broken trust model in every shipping OS/browser but that's an example of "the man" socially engineering our security out of us.
This place isn't a success because people can get away with it, it's enough that most believe they can. We aren't still free because we're security experts. We're small fish with the benefit of dumb luck, for the most part. Are you just a lowly pothead hoping that officer Barbrady doesn't stumble upon your doings, or you're an established drug kingpin trying to evade the supercop who's currently gunnin' for you with a major hard-on and already hot on your trail? Most of us are a lot closer to the former I think. If it's the latter, you need to hire experts not ask the peanut gallery. I'm sure that expert would say you'd better stay the hell off of them fancy new mobile devices. They are toys, after all.
There's a million factors here. When people slip up it's usually not because the FBI hacked their 256-bit n00b-crypt, and darn I shoulda went with l33t-crypt 2048 and only browsed from inside a lead box. Information "leakage" is more likely how they'll get ya and it will betray you through your encryption and your nuclear bunker. Browsers volunteer so much information about you and your computer in the name of convenience and nifty features. Nifty and convenient is pretty much the driving force of the mobile gadget market. Polipo does what it can but you'd have to analyze and tweak everything to be sure. Any applications you use simultaneously while browsing via tor increase your risk of leakage as well as improve the effectiveness of traffic analysis techniques and that goes for PCs or phones.
It's all give and take. Be careful pay attention learn and do the best you can. You can't live your life in paranoia though, if you can't accept risk this is the wrong place to be. Anyone who thinks they are "safe" because they did this and this and this is probably just deluding themselves out of a paranoid denial of risk rather than a healthy avoidance of. Or, if they are safe, that and that and that was actually a well thought out and very particular plan for them which may or more likely may not apply to anyone else.
Be careful who and what you believe. All success can be attributed equally to pure genius or dumb luck
-
What about using your own WiFi network with an iPad? Is that safer?
...
This place isn't a success because people can get away with it, it's enough that most believe they can. We aren't still free because we're security experts. We're small fish with the benefit of dumb luck, for the most part.
,,,
Be careful who and what you believe. All success can be attributed equally to pure genius or dumb luck
+1
Encrypt, obfuscate, and maintain a healthy sense of paranoia. But never forget that, given enough time and motivation, the gubmint can track you down and nail your ass to the wall. We're not invincible. ???