A great free service through TOR/JAP all encrypted & URL scrambled

Discussion in 'privacy problems' started by cafeshop, Aug 21, 2008.

Thread Status:
Not open for further replies.
  1. cafeshop

    cafeshop Former Poster

    Joined:
    Feb 20, 2008
    Posts:
    36
    Does it trust this free service https://tor-proxy.net providing routing all web surfing though his ssl connection and then routed through TOR/JAP network ? It works pretty well for users not wanting to install TOR/JAP softwares on their boxes and their ISP not blocking that site IP.
    Specially, this free service provides scramble URL.

    :D:doubt:o_O:blink:
     
    Last edited: Aug 24, 2008
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    No, you should specifically distrust it. It is a web interface for Tor/JonDym. That allows users to inject malicious code into your browser, and monitor your internet traffic. Only use it for https, on websites you trust.
     
  3. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    It is a possible alternative to installing TOR and TOR button on your machine. It is probably more secure than any service that claims to give you privacy through their proxy, which for sure gives you no privacy from them.

    And as XeroBank says, when you are using this service, exchange sensitive data only on secure connections and with servers that you trust. Hey WAIT!! exchange sensitive data only on secure connections and with servers that you trust even when you are not using this service!!
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    https is a good practice, but not always practical. However, Tor/JonDoNym vs. a private proxy are two different threat models. Tor/JonDoNym allows anyone to participate and snoop into the connections, and they don't know the origination of the content. Private proxy networks do know the origination of the content, but supposedly don't snoop or inject into traffic sessions. The result means only use https for Tor/JonDoNym and reject all other traffic, and prefer to use https for private proxies but you don't need to reject all other traffic.
     
  5. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I think that https is necessary in ALL cases in which you care about your data being readable only by the legitimate recepient (read it homebanking, online purchases, webmails, and so on). In all other cases, it is not useful, but it doesn't hurt. This is valid wheter you use any kind of VPN/anonymizer or not.

    About the possibility for the last hop of a TOR network to inject arbitrary code... I agree, it is possible. It is even real. This why you wanna secure your host. On the other hand, arbitrary content being injected by the TOR network is only an extra possibility, that requires no more attention (probably less) than the malware content that might be injected itself by the website you are visiting or the email you are opening.
    If we are dealing with privacy, I think that TOR works better than any Private Proxy, since nobody in the chain knows both the origin and the target of the traffic (in particular, the first hop knows only the origin, the last hope knows only the destination, the second hop knows nothing).

    And about Private Proxy networks not snooping your browsing habits... well this is "supposedly", as you said. And supposedly they don't inject content in the traffic. But who knows? On the other hand, the Private Proxy owner, without disclousing your private data to others, might easily use it itself without anybody knowing. In my opinion, if the data exists, it will be used/inspected somehow, at some point.
     
  6. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    While I agree, and have agreed that https should be used for anything critical, the web is not https, and shouldn't be expected to be. It would be a nice world to live in, but it isn't the world we live in.

    Regarding public participation networks: Users are always vulnerable to traffic analysis, injection, and sniffing, and it is exceptionally easy to do that. Any day of the week a hacker can set up a tor exit node and start stealing passwords and injecting malware, including "phone-home" code to discover the identity and location of the users. That can't happen on private proxy networks because they don't get to participate.

    The fact is that public participation networks provide attack vectors and opportunities that private networks don't. No matter how mitigated, the attack vector is still there for public nets, and not there for private nets, and there is no shortage of clever hackers.

    Private networks will not be subject to sybil attacks. Private networks will not be subject to injection. Private networks will not be subject to unauthorized snooping. Private networks are not easily hooked-into for those purposes. Public networks suffer all these problems and more.

    Now lets look at it from the other direction. Public networks will not be able to prevent timing or frequency attacks. Private networks will, either completely or partially. And this is before you get into all the ancillary properties of these networks, like speed, latency, observability, etc. Public networks are just less capable because they involve explicit distrust domains instead of a single trust domain.

    A good solution for public networks is to make them darknets that can't reach the normal internet. That kills most of their attack vectors.
     
  7. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I agree with most of what is in this post, besides 2 things:

    1) How can anybody be sure that Private Proxy won't control your browsing habits or snoop on them? Sure, there is a Privacy Policy, but there is no control on the internal behaviour of such private companies. It sounds like some sort of security through obscurity model, which is never something to trust.

    2) The internet is not on https, unfortunately this is totally true. On the other side, no user should exchange any information on an unsecured connection without considering the fact that such information could be easily acquired by an unauthorized person. This is valid whether you use a private anonymizer, a public anonymizer like TOR or no anonymizer at all. The use of TOR adds one possible attack (the exit node sniffing the traffic) to the thousands of other possible attacks for internet sniffing.
     
  8. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    To answer question 1)

    It comes down to this question of case scenario: Would you rather trust your traffic stream to
    A) a corporation that must maintain trust through a brand, image, support, and financial structure, who is paid to handle your traffic with propriety
    B) An unidentifiable hacker who has no vested interest in the security of your traffic
     
  9. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    This is not the question that needs to be answered. Or at least, not the only. The other question to be considered is:

    Would you prefer your personal data (browsing habits and so on) being owned by a private company (in the case you use a private anonymizer) or by nobody (in case you use something like TOR)?

    It depends on what is your main concern: privacy or not getting any code injected in the stream.
     
  10. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    fixed. You are trusting somebody with your traffic. Would you rather trust some random guy on the street corner with no credentials, or the corporation that may or may not have any trust. Some people prefer the hobo on the street corner.
     
  11. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    No way! The questions are 2, and not one to be asked.

    1) Do you prefer your data being owned by a private company or by nobody?
    2) Do you prefer your stream going through a known private company or through an unknown hop?

    You should answer "by nobody" to answer number 1 and "through a known private company" to question number 2. But since both correct answers cannot be picked at the same time, you should wonder whether PRIVACY is more important you (in this case you will use a public network such TOR) or security against malware/viruses (in this case you pick a private company).

    Since the last hop of a public network such TOR is not the only way to inject viruses/malware in the stream, and since there are methods advisable in order to defend by viruses/malwares, when I want Privacy I use a public network. I trust an Anonymizer to not snoop on my data as much as I trust my ISP... which is "not much trust".
     
  12. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    These are not either-or choices, that is a false dichotomy.

    The private company does not "own" the information any more than the tor exit node, you seem to be defining as "nobody".

    And choosing tor isn't the "privacy" versus "malware injection" because you aren't giving up privacy by choosing the corporation. For tor you get "anonymity" and give up trust that the exit node isn't injecting. For the proxy corp you get "anonymity" and don't give up trust that the exit node isn't injecting.

    This is perhaps best described in a choice matrix:

    --------------|--PUBLIC NETWORK--|--PRIVATE NETWORK--|
    -----------------------------------------------------------|
    PRIVACY------|-------YES----------|--------YES----------|
    -----------------------------------------------------------|
    NO INJECTION-|--------NO----------|--------YES----------|
    -----------------------------------------------------------|
    TRUST VECTORS|-------3-----------|---------1------------|
    -----------------------------------------------------------|
    DECENTRALIZED|-------YES---------|-------MAYBE---------|

    All things being equal, I would rather be forced to trust as few people as possible, with the ancillary benefit that I know who it is I am trusting, that they have a reputation and something to lose, and that they aren't going to be injecting traffic into my stream.
     
  13. markoman

    markoman Registered Member

    Joined:
    Aug 28, 2008
    Posts:
    188
    I do not agree with your view about this, and I will try one last time to explain why:

    If, for some reason, I want to surf as anonymous, I would like nobody/no company/no agency to know where I am going, neither now nor in 10.000 years. After I have taken all the necessary steps in order to make my host as anonymous as possible, I will need to make my internet streams anonymous as well.
    If I choose TOR, I know that in any moment no entity knows both 1) where I am connecting to and 2) from where a connection comes from, so that the first node of TOR doesn't know where my stream is headed and the last node of TOR (and the webserver I am connecting to) doesn't know where the stream comes from. This is the case in which the information about my browsing habits is never created, so just it doesn't exist.
    If I choose a private anonimyzer, I will hide my browsing habits from my ISP and I won't let know the website I am connecting to where I am connecting from. BUT the anonymizer provider will have all of these infromation, meaning who I am, what websites I am connecting to and when, for how long and even what I see on such websites... pretty much all the information I am trying to hide by my ISP. So the one who can snoop on my data moves from my ISP to my anonymizer provider. What is obvious, is that the private anonymizer makes me anonymous to the website I am connecting to and to attackers sniffing on the internet, but not to the provider itself. Now, I can trust the provider to be absolutely reliable and never ever disclose my personal browsing habits (or not), but I cannot trust the provider's server to be "leak proof" (like the XeroBank OS is claimed to be), so since the data exists, it could be found and used.

    And if now you tell me that you keep no logs of connections from your clients... sorry but I don't believe it.
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    So you're saying because this information is distributed among what appears to be multiple parties, that "nobody" has it. I'll disagree there and tell you I can be the exit-node on tor, and watch all your traffic, and deanonymize you at any time to discover who you are. There will always be ways to deanonymize public network users who are using the internet. But let's step back a second. You're feeling more secure because one party knows who you are but not your traffic, and another party knows your traffic but not who you are. We recognize the value in that, it's why xb implemented vaults. We don't know what traffic belongs to what accountholder identity. So I can agree with that. However, I think if you're worried about that from a security standpoint of tor, it may be a superficial distinction because of the injection powers granted to an evil exit node allow it to break your anonymity.

    And yes, no logs. That has been heavily discussed. We don't like logs, neither do users, so we don't make any or keep any unless exit nodes are detecting malicious activity.
     
  15. Dude111

    Dude111 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    212
    Looks pretty good!!

    I dunno if i would trust it though... Might be better installing TOR locally and using the SSL libraries to achieve the same thing.....
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The site FAQ (with commendable honesty) does make this very point (that it is more secure to use Tor or JAP directly). But for those who can't (unable to install client, unable to access entry nodes) it does provide an alternative.
     
Loading...
Thread Status:
Not open for further replies.