Silk Road forums

Discussion => Security => Topic started by: LysanderSpooner on July 29, 2011, 08:00 pm

Title: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: LysanderSpooner on July 29, 2011, 08:00 pm
Okay so I sometimes use hushmail.com to send email when I'm using the tor browser bundle. Earlier today I go to check my email and get the following message:

"The computer you are using has been blocked from our website, possibly due to abuse or spam. Computers are blocked using an automatic process that will sometimes make mistakes, resulting in people who were not abusing the system being unable to access our website."

I didn't know what had triggered the issue so I emailed them but in the meantime I closed tor and restarted it all and tried logging in and got the same message. I assumed then that it must be the account that was locked, as tor is supposed to make me anonymous... but out of curiousity I tried restarting tor again and setting up a new email adderss... I was most concerned when I got the  *same message!*

How the hell has this website managed to block my computer from using their services? I thought Tor was supposed to make me anonymous? Are sites able to store cookies and things on my computer even if I close the tor browser and restart it? How else can they be doing this? I'm a little freaked out... is tor as anonymous as people make out?
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: redtide on July 29, 2011, 08:07 pm
I've had the same issue. I think you might not be able to hit it from tor
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: redtide on July 29, 2011, 08:10 pm
no idea. You can try safe-mail.net. You cxan also you pgp and regular email.
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: redtide on July 29, 2011, 08:14 pm
just occurred to me. It's probably not that they identify tor, but that they can't identify your computer because your ip is different all the time.
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: ~shabang~ on July 29, 2011, 10:50 pm
Over 80% of tor traffic exits through one of 7 exit nodes.

These are all high speed (100MB/sec to 300MB/sec, and one 1000MB/sec) nodes operated by the fine folks who bring you TOR.

This also makes for a lot of abuse traffic from those exit nodes, so quite a few sites block them due to that.

Some sites block ALL exit nodes from TOR, imgur for example.

A complete list of all TOR relays and exit nodes is publically available, so that's not hard to do at all.

The folks at Hushmail co-operate dilligently with law enforcement, and using their email gives you a false sense of security, and I wouldn't recommend it at all.

EDIT: Current TOR relay/exit node list: hxxps://metrics.torproject.org/networkstatus.html
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: chronicpain on July 30, 2011, 07:51 pm
This has happened to me too. All I did was select a new identity and that solved the problem...
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: SR Discount Pharmacy on July 30, 2011, 08:28 pm
Do not use hushmail. I have heard nothing but bad shit about them over the years. The member above me is 100% correct about how they cooperate with LE.
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: CaptainSensible on July 30, 2011, 10:20 pm
This has happened to me too. All I did was select a new identity and that solved the problem...

I've had no troubles logging into my Lavabit.com account via Tor.

MtGox is another story.  When using Tor, I keep getting "Your IP address has been blocked due to numerous failed login attempts."  It's a new account; probably about 24 hours old.  I suspect my IP address is being blocked alright, but not because of failed logins.
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: OneOfMany on July 31, 2011, 06:57 am
I'm finding it harder than I'd have thought it'd be to find an alternative email provider who I can quickly sign up for when connected to tor without giving out any other information. I just want a mostly throwaway account so I can sign up at places like mtgox anonymously (or at least without tying my real IP address to my account there) ... what do other people use for this purpose?
I had, somewhat embarrassingly, been using gmail for that purpose, but they no longer allow new sign-ups through Tor. Someone here suggested safe-mail.net, which seems to work fine. It does have one very Tor-unfriendly security feature of forcing you to re-enter your password whenever your IP address changes, but this can be disabled.
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: ~shabang~ on July 31, 2011, 10:34 am
Someone here suggested safe-mail.net, which seems to work fine. It does have one very Tor-unfriendly security feature of forcing you to re-enter your password whenever your IP address changes, but this can be disabled.

Godammit.

DO NOT fuck around with features you do not understand, and DO NOT disable the re-verify password on IP change feature on safe-mail.net, or any other site you access over TOR. That is a TOR-friendly feature, in fact designed so the site can *safely* be used when your IP address changes often.

Safe-mail is attempting to ensure that it continues to be YOU, and not someone pretending to be you using a Man-In-The-Middle (MITM) attack to impersonate you and hijack your session, thereby gaining unrestricted access to your email account. As early as 4 years ago Mike Perry reported at the Black Hat 2007 Conference (hxxp://www.blackhat.com/presentations/bh-usa-07/Perry/Whitepaper/bh-usa-07-perry-WP.pdf) that during TOR Centralized Bandwidth and Load Scanning tests that replay attacks by Chinese ISP's running nodes was very common. I'm sure since then everyone from the DEA to the NSA down to the local script kiddie on your block has got into the action.

Safe-mail, or any other site for that matter, uses several metrics to ensure that you are still you durring a session. First off, it uses a unique session fingerprint when you first connect, which includes information from your connecting IP address. This is enough for the server, but might not be available or sufficient for the SAS app you are connecting to. To allow for changing IP's, the SAS further relies on either cookies, whether written to disk or ethereal session cookies, and possibly a unique session id.

Forcing an SAS app to rely on the session id alone is where you are inviting trouble. A malicious node intercepts your traffic, and replays it, pretending it came from them. They can be impersonating either you or the site at this point in time - they don't know which is which, and it doesn't matter to them. What they're waiting for is a successful response. If they replay a session of yours with a valid session id, but from a different IP address, the only way they are going to get in is if you have disabled the SAS apps IP address checking feature.

Also note that it doesn't matter that TOR has encrypted the packet(s) they're relaying. The attacker isn't trying to read your packets, it's trying to use them as a key. If all that takes is replaying an encrypted session id, they then simply act like they got a 304 in repsonse, and the SAS app host then merrily renegotiates a NEW encrypted session, which is now that attacker playing merrily about in your mailbox.

Keep in mind, all this is automated on their end, and a malicious node can sift through billions of packets until it sees potential session header response packets, and then try to hijack millions of those.

All day.

Every day.

Finally, this shit isn't just 'theoretical' like the bullshit about you having to wipe your drive 35 times with different random data to safely delete it. (You don't, btw.) TOR by design changes your exit relay every 10 minutes under most circumstances, and gives you a new relay node each session. (Generally speaking, you only ever use 2 Guard nodes, which never change.) This gives malicious nodes lots of opportunities to sift through new traffic.

A peek at my TOR logs for the last 24 hours shows the following attempts by unknown third parties to initiate MITM / replay attacks:
Quote
Jul 30 19:32:34.396 [Warning] Possible replay detected! We received an INTRODUCE2 cell with same first part of Diffie-Hellman handshake 2 seconds ago. Dropping cell.
Jul 30 20:35:02.484 [Warning] Possible replay detected! We received an INTRODUCE2 cell with same first part of Diffie-Hellman handshake 1 seconds ago. Dropping cell.
Jul 30 22:08:59.083 [Warning] Possible replay detected! We received an INTRODUCE2 cell with same first part of Diffie-Hellman handshake 5 seconds ago. Dropping cell.
Jul 30 23:54:37.419 [Warning] Possible replay detected! We received an INTRODUCE2 cell with same first part of Diffie-Hellman handshake 3 seconds ago. Dropping cell.
Jul 31 00:35:33.476 [Warning] Possible replay detected! We received an INTRODUCE2 cell with same first part of Diffie-Hellman handshake 2 seconds ago. Dropping cell.
Jul 31 10:15:39.498 [Warning] Possible replay detected! We received an INTRODUCE2 cell with same first part of Diffie-Hellman handshake 1 seconds ago. Dropping cell.

Note that these attempts at replay attacks are common, and aren't directed at anyone in particular, but rather are a wide net cast by malicious exit and relay nodes, and even possibly a 'trusted' guard node.

So when your IP address changes, and safe-mail asks you to verify you are really you before proceeding, smile, and thank the folks who put that feature in there to protect you.
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: sony111 on July 31, 2011, 07:18 pm
no idea. You can try safe-mail.net. You cxan also you pgp and regular email.

Safemail will show your ip-address in the header, might as well use hotmail (and their encryption is likely backdoored, as with hushmail etc.)
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: joeblow2 on July 31, 2011, 07:41 pm
no idea. You can try safe-mail.net. You cxan also you pgp and regular email.

Safemail will show your ip-address in the header, might as well use hotmail (and their encryption is likely backdoored, as with hushmail etc.)

If there is someone who really *knows* the situation with Hushmail and Safe-Mail I would love an explanation.  Hushmail says they use PGP although it is an internal version (they call Hush 3.0) but claim it is public PGP although I don't think it's backwards compatible.  I only know of Hushmail cooperating with LE and even then the situations I know about LE (read DEA) was only able to read the unencrypted emails on people's accounts (you have a choice to use enencrypted so you reach addys that don't have encryption, like outside the Hushmail system).  AFAIK, LE never did see the encrypted emails...and this was a case I saw a lot of personally.  I know other people who have done this biz via Hushmail for a very very long time who never have been even questioned.  And the product names, etc *are* in the body, not headers, of those emails.

Safe-Mail is similar to Hushmail, AFAIK, in that it is encrypted on a server and is only unencrypted when it arrives at your mailbox.  IF you contact it via Tor wouldn't you have no problem with the IP addy.  Again, as long as you write email to another safe-mail addy, it is always encrypted.  AFAIK.

The only one I've seen that is more secure is Countermail.  You have to pay for it, even if you want a basic account.  But their explanation of their system sounds very very secure.  I would be interested to hear from anyone who has used it, I never have, just read all the info.

Whatever system you use, it sounds like it is very secure as long as you stay *inside* the system.  IF you go to another addy, then you might as well us Gmail or Hotmail.  That's my basic understanding.  I would welcome someone who knows more to weigh in...and heavily. ;)

ETA: I hope Shabang would weigh in here.  I just read his posting and see he knows quite a bit about this situation. :)
Title: Re: Hushmail.com has somehow "blocked my computer" from its site, I use Tor... HOW?!
Post by: ~shabang~ on July 31, 2011, 08:22 pm
Safemail will show your ip-address in the header

No it won't. See further below: the full headers of test and reponse I just performed.

EDIT: I assumed you meant your real IP address. If you meant your TOR exit node IP address, well of course every email header contains the initiating address, that's part of the RFC. The point is, if you are using TOR properly with any email provider, your REAL IP address is safe. Emphasis on the PROPERLY part.

their encryption is likely backdoored, as with hushmail etc.

Exactly. You better believe their encryption is back-doored.

Sites like safe-mail and hushmail are offering you security from an 'outside attacker' gaining access to your email. Government agencies aren't outside attackers.

Anyways, the tests. Running TOR with malicious javascript hooks disabled, of course, and noscript, on a windows boxen.

In neither email is anything close to my real IP revealed, merely the exit nodes used.

email addy's have been changed to protect the innocent, but nothing else.

One email is from an external hotmail account to safe-mail, and the other is forwarded from within safe-mail to another safe-mail account.

There is about an eight minute difference between them as I took the time to set up a second safe-mail test account to forward to.

Quote
From xxtestxxaccountxx@safe-mail.net Sun, 31 Jul 2011 15:33:30 -0400
Received: from gefen.safe-mail.net ([192.168.13.74])
 by tapuz.safe-mail.net with smlocal (smtas 1.2);
 Sun, 31 Jul 2011 15:33:38 -0400
DomainKey-Status: not-signed (failed-get-policy)
X-SMTests: G00nmp0i0b0ar00u
Received: from mailout-us.gmx.com ([74.208.5.67])
 by gefen.safe-mail.net with esmtp (smtpd 1.0)
 id N1G-4qyJM5JTl4
 for xxtestxxaccountxx@hotmail.live.com; Sun, 31 Jul 2011 15:33:30 -0400
Received-SPF: no-spf
Received: (qmail 24710 invoked by uid 0); 31 Jul 2011 19:33:30 -0000
Received: from 78.31.70.182 by rms-us017 with HTTP
Content-Type: multipart/alternative;
 boundary="========GMXBoundary53781312140810100682"
Date: Sun, 31 Jul 2011 19:33:28 +0000
From: xxtestxxaccountxx@safe-mail.net
Message-ID: <20110731193330.53780@gmx.com>
MIME-Version: 1.0
Subject: Headers
To: xxtestxxaccountxx@hotmail.live.com
X-Authenticated: #118378635
X-Flags: 0001
X-Mailer: GMX.com Web Mailer
x-registered: 0
X-GMX-UID: O5wTZiuyiDz7bqN0ZGxpq5drZml1ZFiU

--========GMXBoundary53781312140810100682
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Headers.

 How do they work?

--========GMXBoundary53781312140810100682
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Quote
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
 s=N1-0105; d=Safe-mail.net;
 b=d9Vi2+AeInZtNvk3U3vJN492sqVzbqrxhSzF8Pjs9LpWMHtHOKCUaB8fcSfu8UDr
 FJoiqkT857jAhvf00Jwy50bEmw5FjfdEzj6EnC/6+Vf2CMN+JufThH0JIixKthEL
 gSP8Zz5q0iivkXWnUNMyq8U/DJ/bsljQDvuQF617zvw=;
Received: from pc ([94.103.170.233]) by Safe-mail.net with https
Subject: Re: Headers
Date: Sun, 31 Jul 2011 15:41:42 -0400
From: xxtestxxaccountxx@hotmail.live.com
To: xxtestxxaccountxx@safe-mail.net
X-SMType: Regular
X-SMRef: N1-EvzV8Hrzer
Message-Id: <N1-EvzV8Hrzer@Safe-mail.net>
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="-----5KVYT3G4Q6BC2-4E35AFF6.7AD9-L9Y0JA6PWR4JQ-----"
X-SMSignature: mkSHbAnuhyZAIzsyTBgWgTSHK7ZZPbKU0U2NYx2RsuW/xk7P2tm530HEega2GV3P
 /eupRnxJLMe42CJzQD7RTCY/8Q6Fap4aNoOzppaBrc3ggH7TUAaZdFWUv+0dr74k
 lgA5FfgzSlitow2m7WXNj2pcxcH41kjpd1cbykhXK2s=

This is a multi-part message in MIME format.

-------5KVYT3G4Q6BC2-4E35AFF6.7AD9-L9Y0JA6PWR4JQ-----
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit



-------- Original Message --------
From: xxtestxxaccountxx@hotmail.live.com
To: xxtestxxaccountxx@safe-mail.net
Subject: Headers
Date: Sun, 31 Jul 2011 19:33:28 +0000
 

> Headers.
>
> How do they work?

-------5KVYT3G4Q6BC2-4E35AFF6.7AD9-L9Y0JA6PWR4JQ-----
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit


Hushmail deserves a thread on its own, and that's something I'll get to in the next day or so, but the short version is DO NOT EVER USE HUSHMAIL.

If you allow the javascript hooks that are required to download and run the hushmail java applet, it reports back your true IP address.

If you don't allow the javascript applet, even once, your account is forever comprimised as hushmail stores the symetric key (the important thing your Public Key wrapper protects!) required to decrypt your messages. Changing your password doesn't make a difference.

Any email account should be treated like a post card.

Anyone can read it.

If YOU don't encrypt it yourself, it is vulnerable to unwanted third parties reading it.

You CAN NOT rely on a third party safely encrypting data for you.

TL:DR
Neither safe-mail or hotmail reveal your true IP address when you are using TOR properly.
Neither safe-mail or hushmail encryption is a substitute for encrypting things yourself before you send them.
Their encryption is a marketing ploy, and not a substitute for safe data handling habits.