Silk Road forums
Discussion => Silk Road discussion => Topic started by: callsign on July 09, 2012, 02:58 am
-
Hi, from a technical perspective the anonymity of SR is to be respected. The obvious avenue for LE to take is to hijack the domain. What measures can we take to check the signing of a web page as from official SR servers?
For example, if LE hijacked the domain, this is how the could gather maximum information very easily:
-Duplicate login page from current SR login page on their server
-Use set of pre-downloaded captcha images
-Authenticate all logins!
-After you login, display error message to trick members into thinking SR is down
You have just been phished!
-
What measures can we take to check the signing of a web page as from official SR servers?
i'm afraid you can't do it on .onion.
in other words, if you're not able to log in, chances are you're being phished :D
-
For as long as SR has been around there have been fake SR sites set up to phish login details. Most hidden wiki sites have a few links to fake SR sites.
The SR domain name is memorable enough that regular users should know they are on the correct site.
By the way Vladimir there is already a vlad1m1r on SR wouldn't want anyone confusing you guys.
-
By the way Vladimir there is already a vlad1m1r on SR wouldn't want anyone confusing you guys.
it's difficult to confuse us, i'm a newbie :)
-
By the way Vladimir there is already a vlad1m1r on SR wouldn't want anyone confusing you guys.
it's difficult to confuse us, i'm a newbie :)
ME 2
-
in other words, if you're not able to log in, chances are you're being phished :D
OK, and what if the phishing login form authenticates all login attempts and stores them? All LE would need to do is phish SR for a few hours, let people try to authenticate, and then stop hijacking the domain such that LE can log into SR with the newly collected logins.
I do not think anything posted so far demonstrates how SR members would be aware that SR is being hijacked.
-
why would we post the most important security things for SR, isnt that just giving LE an easy way in by showing our weakness'. Why taunt LE by giving them plausible cheap ways to shut us down. just my 2 cents.
mclovin478910
-
You are acting like LE is not aware of this tactic, and that I must be some type of genius to think it up. It is a very common tactic and announcing it makes no difference.
Is it better to realize technical problems or ignore them?
Again, how can we be sure that the SR we are looking at right now is run by the adminis and not LE?
-
There is no such thing as 100% sure. That's why when I order something I encrypt my address with 2,048 bit encryption. I also have all sensitive information stored off my os. It kinda goes along the lines of not licking stamps, handling with gloves and destroying any envelope that I receive as soon as I get it.
But as for your specific question I don't have a in depth answer to that....
-
Out of sheer paranoia for this exact reason--I typically enter an incorrect password that is close to my real password first. It get the red login failed message, and then I authenticate normally and log in.
The problem is still there, if LE actually gets a hold of the authentication server and gains access to all of our passwords, but if they were just trying to phish for them by cloning the login pate, they wouldn't be able to tell whether a password is legitimate or not.
-
For as long as SR has been around there have been fake SR sites set up to phish login details. Most hidden wiki sites have a few links to fake SR sites.
The SR domain name is memorable enough that regular users should know they are on the correct site.
By the way Vladimir there is already a vlad1m1r on SR wouldn't want anyone confusing you guys.
Thanks UKMJ, I met Vlad yesterday and made it clear to SR at large he was the genuine article, actually being a Russian after all! :-)
It's interesting you mention this as Shannon was saying something similar the other day as apparently it's possible (in theory) to track down the SR servers - if so I seem to remember he said SR's private key could then be used to create a duplicate site where some of the traffic could be diverted. Fortunately he didn't go into details as to how it could be done but the possibility of the servers being seized underlined the importance of using GPG for me..!
V.
-
The problem is still there, if LE actually gets a hold of the authentication server and gains access to all of our passwords, but if they were just trying to phish for them by cloning the login pate, they wouldn't be able to tell whether a password is legitimate or not.
LE would be able to tell whether a password is legitimate or not because they will be able to either access the real SR while they are hijacking it (and perform realtime authentication) or after they stop hijacking SR and the real SR comes online, they can simply try their list of user/passes that people tried to authenticate with.
-
For as long as SR has been around there have been fake SR sites set up to phish login details. Most hidden wiki sites have a few links to fake SR sites.
The SR domain name is memorable enough that regular users should know they are on the correct site.
By the way Vladimir there is already a vlad1m1r on SR wouldn't want anyone confusing you guys.
Thanks UKMJ, I met Vlad yesterday and made it clear to SR at large he was the genuine article, actually being a Russian after all! :-)
It's interesting you mention this as Shannon was saying something similar the other day as apparently it's possible (in theory) to track down the SR servers - if so I seem to remember he said SR's private key could then be used to create a duplicate site where some of the traffic could be diverted. Fortunately he didn't go into details as to how it could be done but the possibility of the servers being seized underlined the importance of using GPG for me..!
V.
In order for someone to get the private keys to the website they would have to obtain and edit some source code (https://github.com/katmagic/Shallot/). Then run a hashing program to find an address silkroadvb5piz3r wait 1 to 10 to 100 years and wham they would generate the private keys and be able to set up a silk road clone and divert some traffic to it. Not that hard but it would take a long time to generate the exact same address if ever. It would be possible for a super computer to do it in a few years, but that would be a huge wast of resources.