Jap vs Tor vs Ghostsurf vs ........etc

Discussion in 'privacy technology' started by mack_guy911, Aug 23, 2007.

Thread Status:
Not open for further replies.
  1. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    which of the following is best according your view......

    i tried TOR and JAP a long time before i just wonder its kinda ip sharing tool i share some else ip to hide my ip mask(get anonymous)while some else also sharing my ip to to (get anonymous) so where is the security of my ip if some is using it.
     
  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi mack_guy911 :)


    1)

    Internet works with IP addresses. No IP addresses, no Internet.
    So you have to use one of these IP addr. Right?

    2)

    All data transmitted over Internet are in clear with few exceptions. The data is transmitted not directly form the source to the destination but are relayed by many routers until the data reach the destination and this is done in clear (readable).


    Now the idea under Tor is to encrypt the data, relay this data by many "onions router" and finally reach the destination from an other IP addr. than yours in non-encrypted format...

    This solve the problem of IP address: the one used to connect to a web site is not your addrress but the one of the exit onion router...

    This solve the problem of data transmittted in clear: everythings is encrypted until it reach the exit node.

    With Tor you have the choice to be:

    a client only (your PC is never an exit node)

    a relay in the network (no exit from your computer)

    a client server: your PC is client of Tor , a relay and an exit node.

    This is not a perfect and totally safe solution for privacy but poeple of Tor are very clear about this...

    :)
     
  3. mack_guy911

    mack_guy911 Registered Member

    Joined:
    Mar 21, 2007
    Posts:
    2,677
    thanks for your ans but what about gostsurf did any tried that
     
  4. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    I tried GhostSurf in the past and, while it worked nicely, it caused problem with loading certain pages (gmail in particular iirc).

    JAP and Tor dont cause such problems iirc but they are much slower.
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Check out Xerobank at http://xerobank.com .... So much better than GhostSurf. Too many ways to even go into in this post. Visit their website and go to "Services" and try XeroBank PLUS. There is a free trial as well. Steve (founder of Xerobank) posts here at Wilders and is widely respected within privacy circles.
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    The issue is two-fold:
    1) anonymity to preserve privacy, and
    2) encryption to preserve security.

    The question is where does anonymity and/or security kick in?

    Think of the problem as related to each hop from your browser/client rquest to the destination and back to your browser/client:
    1) From you browser/client to your ISP
    2) Thru your ISP to the Tor entry node
    3) Thru the Tor network
    4) Out the exit node of Tor network to the destination
    5) Back from the destination to the Tor network
    6) Thru the Tor network to the exit node homebound
    7) From the Tor exit node back to your ISP
    8 ) Back thru your ISP to your browser/client

    Step 2) and step 7) are the worry points. We know that Tor delivers clear text to the destination without your IP address. Upon exit from the Tor network on the rebound leg from the Tor exit node to your ISP, it is unclear to me whether there is any encryption on the homeward bound leg, as well as, the outbound leg from the onion proxy to the Tor network through your ISP. If these parts of the transmission are not encrypted - then the ISP can see traffic to/from Tor from/to your computer.

    My understanding, and I could be wrong on this, is that unless the outgoing request from your browser/client is encrypted, your ISP can map where you visit on the Internet, i.e. they can see everything both outbound hop, and inbound hop of every request.

    The question is where does Tor encryption kick in? Starting at your browser/client, or solely within the Tor network but not beyond either the entry or the exit nodes?

    Afaik, Privoxy which is often used for filtering and privacy with Tor does not add encryption - it does add privacy to the application layer though. Also, since an onion proxy client is setup on your computer to use Tor, it uses a SOCKS interface which is usually to negotiate through a firewall transparently. Afaik, SOCKS does not provide encryption. I could be wrong, especially if there is a way to setup SOCKS to use encryption. The idea is to tunnel your request through the ISP on both legs of the request/response so that the ISP cannot see your details - i.e. the ISP would only know that traffic is going to/coming from a Tor network entry/exit node.

    I know that GhostSurf uses encryption from your computer so that the ISP cannot see your traffic details, however, GhostSurf servers probably can I'm guessing.

    Anyone who knows definitively, please provide an answer.

    -- Tom

    P.S. xerobank looks fairly secure and anonymous. JAP, I would not trust as I understand the German government requires a backdoor. Tor - I just do not know enough about their details especially after reading the Ars Technica article about the security with Tor this week Security expert used Tor to collect government e-mail passwords.
     
  7. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    XeroBank

    Allow me to elucidate.

    1) What level of anonymity do you need? Yes, a hairy question. But this can easily be broken down. What are your risks? Do you need to just protect surfing, or do you need anonymized VOIP and IM as well?

    2) We always suggest end to end encryption. That means using https whenever possible. Only you can enforce end to end. However, XeroBank will provide the encryption from your server to ours and back.

    Personally, I think the biggest problem with tor is 4 and 5:

    This was recently given a little more attention because a rogue person decided to log the exit traffic to collect passwords and credentials. If you weren't using end-to-end encryption, your password and login got stolen and exposed. This is a problem with Tor because anyone can become an exit node and start sniffing exit node traffic from people who have a false sense of security because they don't understand the risks of the security model they are using. At XeroBank, we control all the exit nodes, and we don't log. In addition, we made sure our admins are not sniffing traffic because we use independent auditors to randomly check the exit nodes. Not to mention, all our software is free and open source.

    With XeroBank, we have the strongest privacy policy of any corporation on the planet, and unlike every other privacy provider, we are not subject to US, UK, EU jurisdiction, court orders, subpoenas, national security letters.
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    You mean if I connect to Tor and log into my online banking webpage and request my account info, a person can not only get my banking info, but they can see my username and password too? Even with keyscrambler?
     
    Last edited: Sep 15, 2007
  9. Dogbiscuit

    Dogbiscuit Guest

    No. Most all banks use HTTPS which would encrypt your connection completely, regardless of whether you're using a proxy or not.
     
    Last edited by a moderator: Sep 15, 2007
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Hi Torrify,

    The only question I have about xeroBank then is who audits the "independent auditors"? A fair question that needs to be considered in any security model. If there are more than one independent auditor, do they audit themselves or each other, and what's to prevent collusion? This is the same problem that exists with various security models with layers of security (Top Secret colluding with Confidential for example) Note: these are only practical questions and have likely already been considered by xeroBank I would presume.

    Yes, end-to-end encryption is the only way to provide security currently, at least for the near term forseeable future until quantum computers come into use. After that security again becomes the figment of the imagination it always was and always will be. Oh well, I suppose quantum computing will give rise to quantum encryption as quantum security - a double edged sword to be sure. On the one hand, quantum encryption will provide increased security models, however, when attacked with the equal or better force of quantum computing - one can only guess that timing will be of the essense for any vulnerability gaps (the weakest link) that can potentially be exploited (if at all possible).

    -- Tom
     
  11. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Steve,

    And while you're at it, who audits the auditors of the independent auditors? :)
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Re: XeroBank

    But how certain can you be that the network provider/ISP at your exit nodes is not logging? Or anyone else with access to the connection between a XeroBank exit node and the destination site? (especially if a major network hub is traversed). Having vetted exit nodes can be a benefit in lowering the chances of a rogue operator (which is something that JAP claims also) but it can't guarantee the privacy of unencrypted data and it is a corresponding weakness in that you have fewer exits, meaning that the network can be more easily blocklisted or monitored as a whole.

    The key point that users should consider is from whom they wish to protect their privacy and with what traffic. Tor has several hundred exit nodes so there is no way for a malicious operator to be able to target a specific user - they can only sit there and see what comes through. And they can only identify a user if their traffic contains personally identifiable data in plaintext - so anything using https is protected as mentioned above. The problem was that some users chose to route plaintext email traffic through Tor, which is only worth doing if your normal connection is unsafe - even then it is better to use encrypted email (IMAPS/POP3S/SMTPS) or HTTPS webmail (Hushmail, GMail, etc).

    The downside is that there is no way of completely protecting unencrypted traffic (including logins to vBulletin forums like here) since it has to be sent in the clear at some point.
     
  13. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Good question. I'm not yet authorized to say how our audit protocol works, and we will publish it, but essentially it is like this. Admins are assigned to exit nodes. The admin who is assigned to the exit node is not known by the auditors. The admins are not known to the auditors. Nodes must be audited every random(0 to max) days. The auditor comes in, does the auditing dance, and sends his report upstream (and shortly, public) and notifies the CSO an audit has been completed. The CSO comes through and changes the server keys and distributes a new key to the admin, and may perform an additional audit himself. Admins are not notified of an audit ahead of time, only after the fact. We have multiple auditors, who all audit the same machines. For there to be successful collusion, an admin and all auditors would have to collude, and depending on luck, the CSO as well. The CSO has a strong disincentive to collude. The trick is rotating the auditors through the same system, and having an incentive system for finding bugs and problems, and disincentive for not finding them.

    Now there may be some cries as to "that isn't perfect!", well nothing is. However, it sure is lightyears ahead of any other offerings, and beats the alternative of having no audits at all, which is the standard practice.
     
  14. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: XeroBank

    We aren't claiming to be unobservable, which is parcel to your argument. We just add an additional lining of honesty to the system by making it hard for our own admins to gimmick the system and reduce anonymity. If anyone along the destination wants to view the unencrypted data, it is possible. But in these instances, we aren't worried about that. The data has been anonymized, and put out of reach of their own ISP and local network. If they need additional encryption, then they use HTTPS or some other crypto protocol. It is a moot point to worry about plaintext observation, as end-to-end encryption is the client's responsibility.

    Well it is interesting you say that. When Torrify had a forum, it was https accessible, so you didn't have to give up a plaintext credential. Who's fault is it most forums aren't encrypted? The forum admins squarely should shoulder the responsibility. Anytime you are exchanging credentials, they should be encrypted, but alas the internet isn't a perfect place. We can only control what goes on in the XeroBank network ;)

    Regarding data in the clear, it reminds me of a discussion i had with an auditor. We were discussion encrypted partitions, and he was saying "what good is an encrypted partition if the data is decrypted in memory and just sits there?" and I thought that was a clever point: the data is decrypted somewhere. There is always somewhere it is sitting in plaintext, eventually. Be it in your cache during an https session, RAM chips, or just plaintext over the net. What seems to be most important is exercising control over where that data sits when it is plaintext, and protecting that space.
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I just want to make sure that I undersand this correctly. If someone was able to collect information after it leaves xerobank, they would in no way be able to distinguish which xerobank user it was from? There is no way of distinguishing one xerobank customer from another?

    How are things going so far? I think it is an awesome service. I am just completely blown away by it (pro account). It is just so good on so many levels. Thanks for providing it and I am hoping that it will be available for a long time to come. Caspian

    PS If there is anyone thinking about using this service, you *must* try a pro account. Try it for 3 months. You will be spoiled and never go back to whatever it was you were doing.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Re: XeroBank

    Your reply suggests that XeroBank is not subject to this issue that can affect Tor, which may not necessarily be the case. True, it isn't possible for just anyone to set up a XeroBank exit node with the intention of monitoring traffic but those with appropriate network access can still monitor XB exit nodes, as they can Tor or JAP exit nodes. Of course, in all cases it should still only be possible to link traffic to an individual if there is personally identifiable information in it.
    That is a valid point though HTTPS has overheads (certificate cost, server CPU usage) that may make it impractical for some sites. However using it for login pages only should reduce them greatly (you still have cookie-sniffing to worry about, but at least passwords aren't revealed).
    Well memory is non-persistent so pulling the power should wipe that decrypted data... ;)
     
  17. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Re: XeroBank

    That is correct, but there aren't any trivial people who can monitor the nodes. It would take a substantial entity or individual to accomplish that, but that isn't something we are trying to protect against. If you're hunted by the NSA, nobody can help you.

    It isn't always as simple as that. The forensic technologies are amazing, to say the least.
     
  18. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    That is the important issue, and you are correct.

    Things are great, thanks for asking. Just wait till you see what we've got coming next. It is beyond everything.

    I couldn't agree more. I remember when the CEO contacted me and said they weren't going to try to pitch it to me, just to try it. I was sold on the speed and ease of use. It just blew me away.
     
  19. buffet

    buffet Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    53
    We are using TOR network so we concern security on this. We are trying to repost this for sure someone might look into it for sure it is clear.
    Using TOR, recently, we are time to time to see yahoo web mail login process auto switching from POST command to GET command which displays user' password on the URL that helps others can log and see which password is?

    Please look at the image attachment.
    http://i100.photobucket.com/albums/m35/vn119/Bug200709-11YahooMail.png

    Logged by Privoxy:
    http://i100.photobucket.com/albums/m35/vn119/Bug200709-11YahooMailLoggViaPriv-1.png
     
    Last edited: Sep 23, 2007
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It might help if you posted a working link, not one that gives a 404 error...

    Also have you checked accessing Yahoo without Tor to see if the same thing happens?
     
  21. buffet

    buffet Registered Member

    Joined:
    Mar 31, 2006
    Posts:
    53
    Sorry! A copy and paste problem.
    All are fixed now; and including another screen shot of privoxy logging. It seems there were 'injection' hack or a yahoo webmail bug exploit ?
     
  22. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Nothing there seems to be Tor-related.

    Yahoo sending your password in the clear is bad - but if that bothers you either use an HTTPS page to login (if they have one) or change webmail provider.
     
  23. MrDuane

    MrDuane Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    6
    To Torrify,

    I am considering XeroBank.

    I have read this thread, and want to know:

    with XeroBank, is my information encrypted between my computer and my ISP?

    If so, all they would know is that I logged in with them. Is that the case?

    To all others?

    Does anybody know anything about "Evidence Eliminator"?

    What about redundancy? ... using the-cloak.com, hushmail, stealth message, etc.
     
  24. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    While not Torrify, I think I can help with some of your queries.
    Yes. Only when your connection exits the XeroBank network, will it be in the clear (for http:// webpages, https:// addresses will be encrypted all the way) and this has to be done since the website you are connecting to is expecting unencrypted data.
    Your ISP would see encrypted data going to an IP address which they could identify as belonging to XeroBank. They would not be able to determine its contents or ultimate destination.
    Discussed fairly often here - see the following threads:

    Privacy Eraser Pro
    Evidence eliminator's lock out key
    EvidenceEliminator
    If you mean "chaining" - using one anonymity service to access another - then in many cases it doesn't work well and may even result in weaker security (e.g. using insecure provider A to connect to secure provider B only gives you A's level of privacy). One exception is using an anonymizer to access a CGI proxy (a web search should provide several lists) - this can be of benefit if your anonymity service is being blocked by a website but is of little benefit otherwise.
     
Loading...
Thread Status:
Not open for further replies.