Silk Road forums
Discussion => Security => Topic started by: Furd Turbler on December 13, 2011, 04:50 am
-
Hope you guys can help me out here. I've got some questions on using TOR. (Is there an official TOR support forum somewhere, even off the .onion network?)
This has to do with connecting to gmail.
I installed and enabled TOR, verified it was working, and created a new gmail account. I have Torbutton and NoScript installed in Firefox. I was running NoScript with default configuration. The default config enables javascript for some google sites. I did not think about this at first.
I did some searching and found some people connecting to gmail over TOR discovered their public IP exposed because of javascript.
I looked in gmail to see current and previous sessions, and all the IP addresses were from TOR, not my public IP. That was a bit of relief, as it would mean it's still safe to use that account because it's probably never been accessed directly from my public IP.
Right?
Trying to be paranoid, I removed google/gmail from my NoScript whitelist, and sign into gmail using their Basic HTML interface. I don't mind this. But many of their settings and features are not available through the Basic HTML interface. Annoying, but whatever.
Then I went to change my password, and it takes me to the account settings page that does not fully load because it needs Javascript.
So... is it safe to use gmail with javascript enabled as it was before? Did either TOR or gmail resolve the security issue? It was showing the TOR IPs and not my public IPs when I checked, although I have not sent any emails from this account yet. Or will the javascript not reveal my public IP until I try to send an email while it's enabled?
Any help is appreciated.
Thanks
-
Have you considered using TorMail [ jhiwjjlqpyawmpjx.onion ] rather than Gmail, at least for your Silk Road activities? It's as anonymous as any Tor hidden service and offers two web interfaces -- one with and one without javascript -- from which you can choose on a per-session basis.
(I realize that doesn't directly answer your Gmail question but thought I'd offer it up since you expressed concern about IP address anonymity.)
-
Have you considered using TorMail [ jhiwjjlqpyawmpjx.onion ] rather than Gmail, at least for your Silk Road activities? It's as anonymous as any Tor hidden service and offers two web interfaces -- one with and one without javascript -- from which you can choose on a per-session basis.
(I realize that doesn't directly answer your Gmail question but thought I'd offer it up since you expressed concern about IP address anonymity.)
+1. If you care enough about your anonimity to use Tor, why are you using Gmail? Just use Tormail and be done with it.
-
Have you considered using TorMail [ jhiwjjlqpyawmpjx.onion ] rather than Gmail, at least for your Silk Road activities? It's as anonymous as any Tor hidden service and offers two web interfaces -- one with and one without javascript -- from which you can choose on a per-session basis.
(I realize that doesn't directly answer your Gmail question but thought I'd offer it up since you expressed concern about IP address anonymity.)
+1. If you care enough about your anonimity to use Tor, why are you using Gmail? Just use Tormail and be done with it.
This. Gmail sucks, with or without Tor.
-
Try stay away from safemail and hushmail. TORmail and TORpm are great!
-
Try stay away from safemail and hushmail. TORmail and TORpm are great!
What's the problem with using safemail and hushmail? And why is Tormail any better?
-
I don't know much about safemail, but hushmail (when used as they intend) stores your private key on their server, allowing (and requiring) them to give LE access to your email if they demand.
-
I don't know much about safemail, but hushmail (when used as they intend) stores your private key on their server, allowing (and requiring) them to give LE access to your email if they demand.
I guess a good rule of thumb when it comes to SR and "anonymous" email accounts is to always assume that /someone/ might get access to the data at some point. This means that you need to make sure that you're not sending sensitive information in the clear, that you're not using the account for anything linked to the "real" you etc.
-
I guess a good rule of thumb when it comes to SR and "anonymous" email accounts is to always assume that /someone/ might get access to the data at some point. This means that you need to make sure that you're not sending sensitive information in the clear, that you're not using the account for anything linked to the "real" you etc.
Indeed. The problem with Hushmail is, since they have your private key, your messages are practically in the clear on Hushmail's servers. An added benefit of Tormail over clearnet email providers is that both you and they are much more difficult to track, making it harder to connect you to your emails if they are somehow discovered and decrypted, and harder for LE to discover your emails in the first place since they'd have to locate Tormail's hidden server.
-
I know not to trust Hushmail's encryption. I haven't yet had a chance to evaluate TORmail. Not that I doubt its security.
I actually do like gmail, though. Good interface and the best spam filtering I've ever seen.
I'm pretty sure it's okay. So long as I'm using HTTPS, the javascript shouldn't pose an issue. Just looking for a definitive answer one way or the other.
-
What does HTTPS have to do with Javascript being an issue?
-
AFAIK, the issue with javascript is the ability for at attacker to inject malicious code (e.g. something that could expose identity) at a point where the traffic is vulnerable (e.g. at an "evil" exit relay). Connecting to a website via HTTPS encrypts the traffic end-to-end, thus not giving the attacker a chance.
That's what I understand the problem to be with Javascript over TOR, anyways.
I have HTTPS Everywhere installed, and I have explicit HTTPS only rules set in NoScript for gmail, so like I said... I'm pretty darn sure I'm okay. Even now when connecting to the gmail account it shows a TOR IP address, not my own. And it's unlikely that I'll need to connect to gmail's web interface anymore now that I have the account setup. I'll be using Thunderbird for that now.
-
HTTPS prevents an exit node from sniffing your surface web traffic, it does nothing at all in relationship to javascript.
Torbutton blocks malicious and dangerous javascript that may use system hooks on your computer to determine information about your location. You can bypass these settings, but don't - they're there for a reason.
Noscript blocks additional scripts beyond what Torbutton blocks. If you allow Noscript on sites like Gmail it lets you use some of the web 2.0 features but no dangerous javascript blocked by Torbutton is executed.
Gmail indexes and searches the contents of all your emails, and even deleted emails are never deleted. Why on earth would you want to use such an email system?
-
Noscript blocks additional scripts beyond what Torbutton blocks. If you allow Noscript on sites like Gmail it lets you use some of the web 2.0 features but no dangerous javascript blocked by Torbutton is executed.
This is good to know.
Gmail indexes and searches the contents of all your emails, and even deleted emails are never deleted. Why on earth would you want to use such an email system?
Because I won't be using it to send any sensitive information in plaintext. Any emails containing sensitive or personally identifying info will be encrypted first. I can encrypt before I copy & paste into the web interface, and I can use enigmail in t-bird (saving drafts is disabled).