Ideas to encrypt TOR entry and exit nodes

[danielspencer2]

We all know with TOR that the weak points are that the initial connection to a TOR entry node is not anonymous, and that TOR exit nodes are unencrypted so the exit node operator can view all the traffic.

I was brainstorming for days and i cannot think of a solution to this problem so I would like to ask if anyone here knows how TOR could encrypt exit and entry nodes?

[JokersWild]

In theory at least, here's how Tor works:

Tor is designed to disassociate the content of your traffic from your IP address.

Thus: A Tor entry can know your originating IP address, but only knows it is passing an encrypted chunk of data along to another Tor node. The entry node does not know the ultimate destination of your traffic.

The Tor exit node can know the contents of your traffic, but only knows it has received an encrypted chunk of data from another Tor node.

[danielspencer2]

but there is a way for authorities to trace the original ip address to it's source if a person examined the exit node logs then went backwards until they reached the entry node right?

Quote:

Originally Posted by JokersWild

In theory at least, here's how Tor works:

Tor is designed to disassociate the content of your traffic from your IP address.

Thus: A Tor entry can know your originating IP address, but only knows it is passing an encrypted chunk of data along to another Tor node. The entry node does not know the ultimate destination of your traffic.

The Tor exit node can know the contents of your traffic, but only knows it has received an encrypted chunk of data from another Tor node.

[SteveTX]

Tor nodes are not "allowed" to keep logs. If they find out you keep logs or do injecting, they put you in a "badnode" list. So presumably, if every link in your circuit (3) kept logs they could find out who you are.

However, that doesn't really matter. It is easier to find out who you are than by asking nodes for logs. Aug 1, deanonymizer will be released, and will unmask virtually all tor users as an example of the results of poor implementation.

[caspian]

God that will be a spooky thought for a lot of people, I would think. I even read about some international government agencies being exposed once, just as an experient.....and that was a long time ago.

[danielspencer2]

will deanonymizer unmask people using tor thats included in xb browser?

Quote:

Originally Posted by SteveTX

Tor nodes are not "allowed" to keep logs. If they find out you keep logs or do injecting, they put you in a "badnode" list. So presumably, if every link in your circuit (3) kept logs they could find out who you are.

However, that doesn't really matter. It is easier to find out who you are than by asking nodes for logs. Aug 1, deanonymizer will be released, and will unmask virtually all tor users as an example of the results of poor implementation.

[SteveTX]

It won't defeat the new xB Browser we release by Aug 1.

[danielspencer2]

So if i use the current xb browser to be anonymous on june 10th, are you saying when the deanonymizer is released that it would be able to find some info about me? Or does deanonymizer work in real-time so if a person has a tor exit node and they ran deanonymizer could they see my real ip?

Quote:

Originally Posted by SteveTX

It won't defeat the new xB Browser we release by Aug 1.

[SteveTX]

They are independent projects. I don't know if DeAnonymizer will currently work against the legacy xB Browser but our bug finders are terribly clever. Our replacement xB Browser will be very modern and defeat nearly every possible attack including those by DeAnonymizer (because of superior implementation and leakproofing).

DeAnonymizer does run in real time. So any Tor exit node or wordpress blog will be able to deanonymize you with our plugins, or you can visit deanonymizer and test yourself directly. There will be great wailing and gnashing of teeth.

[snowdrift]

Quote:

Originally Posted by SteveTX

There will be great wailing and gnashing of teeth.

Be careful, Steve. Your deep South fundamentalist Baptist roots are showing! ;-)

[caspian]

Could I have a side order of locusts to go with that?

[arran]

Do you have to use xB Browser for xerobank ? or can you use firefox for xerobank services?

what are the benefits of using xB Browser Versus Firefox with, Cache disabled, No script, Global cookies blocked, adds ons disabled, history disabled, Java disabled and referrer disabled ?

[SteveTX]

No, you don't have to use xB Browser for XeroBank. XeroBank is a full VPN, meaning all your existing programs, browser, applications, games, etc are fully anonymized and encrypted through the XeroBank network. However, you can continue to use the xB Browser in addition to XeroBank's anonymous service to help you avoid phishing and evil websites, but it isn't required for anonymity if you already have xB VPN running.

xB Browser is significantly more complicated than any setup you can do with firefox. In addition to all those simple plugins, It is preconfigured to block all mime types, to disable hidden and rogue plugins, has external profile management, search and destroy flash cookies, profile protection to prevent users from compromising their own anonymity, awareness of firewalls and networking, threat model management for both VPN and Tor access, built-in tor and VPN process management, and lots more.

[arran]

how do you get the trial to work? what pin number do I enter here?

Why isn't there a separate down load for the browser?

[SteveTX]

Just enter in your access account number you were emailed. It won't ask you for a PIN if you entered it in correctly. Why would there be a separate download for the browser? It's all contained in the single installer.

[kareldjag]

hi,

In fact there is a way to harden Tor, and i am really wondering why StevTX has not talked about it before...maybe that he was not aware of it, that makes me doubt of his level of expertise, or maybe he has censored himself for interest conflicts reasons...bad points in both cases...
With OnionCat it is possible to build VPN connections on Tor hidden services.
OnionCat has been presented at the begining of the year at the Chaos Computer Club Congress:
http://events.ccc.de/congress/2008/F...s/2828.en.html
http://www.cypherpunk.at/onioncat/

OnionCat hardens Tor agaisnt a few issues (http://events.ccc.de/congress/2008/F...s/2977.en.html ) like DNS leaks ( https://wiki.torproject.org/noreply/...AQ#SOCKSAndDNS ) for instance.
As i i use a cable ISP with a fixe IP i sometimes use Tor, and i guess that services like Xerobank will be more and more used in France after the HADOPI law:
http://www.edri.org/edri-gram/number...-strikes-voted
Except for those who want a fast surf, and then downloads, paid anonimity services like Xerobank are not necessary: i trust more Tor than Xerobank, and who knows? what proves that this last one is not a trojan of the NSA?

Of course, as for anyone who takes seriously into consideration its privacy, OnionCat is for those who begin FIRST by forgetting Windows...
And of course, an hardened Tor configuration only protects internet activities, and since crime has any relation and echo in real world, there is therefore many ways to catch those who have illegal things to hide...

rgds

[SteveTX]

You should read what the user asked before you start making ad hominem attacks. This isn't a question of hardening tor, or tor hidden services. If we were talking about hardening tor, i would suggest JanusVM or TorVM, which were both developed by two folks, one of whom is on the XeroBank team, and which was developed a 1+ years later than XeroBank's xB Machine VM which runs on both Tor and XeroBank, which is 2+ years before OnionCat. You've been enlightened, enjoy.

[kareldjag]

Funny... a Xerobank self advertising reply to a Xerobank anti marketing post...i could not expect more from SteveTX.
Sorry but i am quite boring with SteveTX spam advertising campaigns on this board, especially for a stinking business.
i just wanted to tell it by ABC.

[SteveTX]

If I could keep users from asking these questions on wilders and send it to xb forum, I would. The fact is that someone asked, i gave them the exact answer, no more no less. You walk in, talk trash and have an off topic post about hidden services which neither addresses the original topic or the current thread. If you just wanted to be acrimonious, you didn't need a pretense about onioncat.

[danielspencer2]

so why hasn't tor included OnionCat inside it or developed their own OnionCat?

Quote:

Originally Posted by kareldjag

hi,

In fact there is a way to harden Tor, and i am really wondering why StevTX has not talked about it before...maybe that he was not aware of it, that makes me doubt of his level of expertise, or maybe he has censored himself for interest conflicts reasons...bad points in both cases...
With OnionCat it is possible to build VPN connections on Tor hidden services.
OnionCat has been presented at the begining of the year at the Chaos Computer Club Congress:
http://events.ccc.de/congress/2008/F...s/2828.en.html
http://www.cypherpunk.at/onioncat/

OnionCat hardens Tor agaisnt a few issues (http://events.ccc.de/congress/2008/F...s/2977.en.html ) like DNS leaks ( https://wiki.torproject.org/noreply/...AQ#SOCKSAndDNS ) for instance.
As i i use a cable ISP with a fixe IP i sometimes use Tor, and i guess that services like Xerobank will be more and more used in France after the HADOPI law:
http://www.edri.org/edri-gram/number...-strikes-voted
Except for those who want a fast surf, and then downloads, paid anonimity services like Xerobank are not necessary: i trust more Tor than Xerobank, and who knows? what proves that this last one is not a trojan of the NSA?

Of course, as for anyone who takes seriously into consideration its privacy, OnionCat is for those who begin FIRST by forgetting Windows...
And of course, an hardened Tor configuration only protects internet activities, and since crime has any relation and echo in real world, there is therefore many ways to catch those who have illegal things to hide...

rgds

[danielspencer2]

So just to confirm, here is a scenario:

1)Person using current version of xb browser makes an anonymous comment in a wordpress blog today. Currently blog owner will not be able to trace the original ip address the comment came from.

2)When deanonymizer is released later this year, the blog owner can use deanonymizer to trace the original ip address of the comment that was made a few months ago?

Is this scenario true or false?

Quote:

Originally Posted by SteveTX

They are independent projects. I don't know if DeAnonymizer will currently work against the legacy xB Browser but our bug finders are terribly clever. Our replacement xB Browser will be very modern and defeat nearly every possible attack including those by DeAnonymizer (because of superior implementation and leakproofing).

DeAnonymizer does run in real time. So any Tor exit node or wordpress blog will be able to deanonymize you with our plugins, or you can visit deanonymizer and test yourself directly. There will be great wailing and gnashing of teeth.

[SteveTX]

DeAnonymizer will only work if the blog owner used it to scan the commentor while the commentor was on his website.

[arran]

Quote:

Originally Posted by SteveTX

DeAnonymizer will only work if the blog owner used it to scan the commentor while the commentor was on his website.

If that's the case then it would be very difficult to use DeAnonymizer. Because
after the Blog page has been downloaded to your browser isn't the Connection broken? The only time there is a physical connection is when your browser is loading a page which is only for what 1 or 2 seconds?

[SteveTX]

Yes and no. The blog plugin has a mode where it can be set to start scanning using a hidden iframe that will stay open across the site regardless of navigation, or can start scanning while the user is writing a comment (to keep out spammers).

It will quickly do an IP scan for network detection (instant) and can ban based on proxy detection, then it loads up about 25 proxy-breaking tests which take a half second to 3 seconds or so to complete each but can be run concurrently.

The point is not to be some evil tool but to demonstrate to everyone that they aren't as anonymous as they are being led to believe. This will change the game and put nearly all "anonymity" (privacy) services and networks to shame.

[arran]

Quote:

Originally Posted by SteveTX

Yes and no. The blog plugin has a mode where it can be set to start scanning using a hidden iframe that will stay open across the site regardless of navigation, or can start scanning while the user is writing a comment (to keep out spammers).

FF no script blocks IFrame. would this prevent it?