wifi, https, and privacy questions.

What an informative forum this is. I've been reading threads here since late last night. So much to take in!

I just wanted reassurance from the pros here on my situation.

I share a wireless signal in a small community where the owner/manager of the system gets a log of all web taffic of course. He is not shy about admitting he sees what we see.

I use linux 99% of the time. Opera browser set to delete cookies, cache, and history on exit. I have also resorted to using Tor with Privoxy. This setup seems to work not too bad. Slow but hopefully, secure.

My most important question would be - Have I foiled the manager's viewing pleasure? My understanding is all that he can see is garble due to the encryption. We do all our banking and much other business online so I'm a little paranoid. My understanding is the only web address he should be viewing from my connection would be the Tor connection - Is this correct?

Next most important question would be - Should I use Tor/Privoxy for https? From what I've gleaned from the https thread here is that I should, and actually would have two layers of encryption and the filtering protection of Privoxy. Is this correct? Or does Tor present a security concern as far as https?

I use Gmail and Loftmail mostly for email. They both offer ssl pop and smtp connections. I'm not too concerned about email.

I would welcome any input as to a better setup or advice on how to improve what I have. I am also looking at pay-for services like Cotse.

Thanks all.

 

A belated welcome to Wilders security_concerned.

Yes, provided you have setup TOR/Privoxy/Browser correctly so DNS requests go through TOR.

Yes.
If you are on wireless, it is not only the manager, but everyone in your community who could be potential snoops.
Are you using WPA or WPA2 for wireless encryption?
If not, then others may be able to see your encrypted connections (not contents).

Good question.
Who do you trust less, your snooping manager or an anonymous network of TOR servers?
I would choose the latter in your case, just make sure you are alert to any SSL certificate issues while browsing.

Yes.
The only concern would be a compromised TOR server that might be used in a MitM (Man in the Middle) certificate attack.
This would normally show up in your browser though.

I am still happy with Cotse.
I haven't used TOR yet, so I can't give you a good comparison.
If you want to know something specific, let me know.

 

Much thanks Devinco. You have given me some piece of mind.

I'm not sure about "dns" requests. I check my ip address regularly and I always get a Tor server address and Privoxy is working correctly.

I guess the manager could setup wpa encryption as he controls the wireless signal and hardware. Is there something I can do at my end as a recipient?

Thanks again.

 

You're welcome.

Look for threads here about TOR and Privoxy configuration.
In my SSH client it appears on one of the config screens as:
Do DNS lookup at Proxy end: Yes
It will probably be slightly different in TOR, but the basic idea is the same.

WPA (preferably WPA2) needs to be supported and turned on in the manager's WAP (Wireless Access Point) and your wireless NIC (network interface card). Both need to have the capability and to be configured properly with a strong random password (63 characters).

Since all your neighbors will effectively be on the same LAN, don't neglect your computers LAN exposure like File and Printer shares, unnecessary services, firewall, AV, updates, etc. at least when using Windows. Some precautions wouldn't hurt while on Linux either.

 

Ok. I've checked into the dns thing and Privoxy does look after it.

I have SeaMonkey setup to handle dns requests by changing a setting in "about:config" .

network.proxy.socks_remote_dns user set boolean true

This bypasses Privoxy and should do the same job with dns requests. I like the filtering aspect of Privoxy however.

 

The wireless connection technology is still not mature. It has too many holes and exploits. If you wish to have more security boundaries, the choice is not to use wireless to do all your important things (eg online banking, purchasing). If you can, use a wired one to connect to the Internet.

But even then, you need to make sure your computer is completely clean. Antivirus/antispyware alone can't guarantee that since it is easy for a malware to bypass essentially all AV. It can be done by creating virants or new ones (harder to detect). If the trojan/keylogger is personlized (that is, it is targeted for you or a small group of people only), it may be undiscovered for many years. (If you don't understand, please ask for details via here or PM).

Sending confidential or important info via Tor server is not safe either. Anyone can set up a Tor server, including the ones with malicous minds. Although the traffic and allocation is random, there is chance you might fall into the evil hands. If it happens, they may be able to sniff your traffic. Whether successful or not, it depends on their skills and abilities. But I realise the underworld will provide both free and paid tools/tutorials for the baddies to achieve the task.

 

I have a 99.9%, if not 100%, approach to carry out all these important things safely. it is potentially very safe too and can against any new or unknown methods, or any new or bespoke malware. The idea is as follows:
- you have 2 divisions - yellow and green. Both divisions are separate.
- you carry out any normal things you may do in your life on your first (yellow) division
- you strictly do only very safe, or completely trusted things on your second (green) division
- while your yellow division may get infected unknowingly, it doesn't hurt you much since all important, sensitive or money-wise things (eg online banking, shopping) are done in the green division.
- About the 2 divisions, it could be any two separate entities which is completely isolated from one another (so cross-infection is impossible). It could be 2 separate computers, 2 separate operating systems, and so on.
- I would still try to ensure the cleanness of my first division as hard as I can.

One instance of compromise may give me huge trouble. Imagine all your money are gone one day, how would you feel? I have heard many people's accounts get hacked and money vanishes. I don't want the same thing happening on me. New methods and exploits are coming every day. I don't wish to depend on luck to avoid the problem either.
That's why I am a bit paranoid about that. I need to make sure my computer is potentially clean and safe from any malware and exploits, including those which are still unknown (some exploits are found only after more than 5 years. Scary!!). This is the only way which could make sure hackers are hardly able to make use of their latest unknown technology or knowledge to compromise my green division.

 

Good info Wai_Wai.

If I am routing https through Tor, how would a "middle man" decipher the primary ssl connection? It is being encrypted at the source. Is the exit node or one of the others seeing it unencrypted?

 

The allies back in WWII decyphered the Enigma code. They didn't need germans to decrypher it for them anymore. All they needed was to intercept the message

 

They also had an advantage by capturing the monthly keys from German subs Also, they figured out a thing called a 'crib' that is something that helps you greatly limit the number of possibilities a key can have. Those were all due to the weakness of having a mechanically operated machine. That is not what SSL is. It is a computer, with millions more combinations. Sure, everything is breakable with brute force, but I will see you around fifteen years from now when it is no longer applicable.

Tell me a hole that will get my data from a wireless connection that is encrypted. Oh yeah, there aren't any. It is perfectly safe if the proper security measures are put into place(such as WPA, WPA2,et cetera).

Also, it doesn't matter whether or not you do online banking or purchasing even on an unecrypted connection since the data is already encrypted. Lets not distrubute any FUD around here please, or else people may start to wear tinfoil hats in order to prevent hackers from wirelessly gaining their password . An informed mind in helpful, a charlatan is not.

Cheers,

Alphalutra1

 

I'm aware that i'm talking about diferent things, and that i can't grasp the concept all too well, but i was refering to the enigma machine altogether.

So if the encryption code is open source, how is it safe? The program codes aren't static somehow? But how does the end node decodes it? If it can decode, couldn't it be decoded by someone else? Granted not just anyone would be able, but concept wise.

 

Thanks for the info guys.

I guess it dosn't really matter if I use tor/privoxy for my https connections. No one is going to see my credit card number or my banking info. I guess the only advantage in using tor would be that the manager would not know the site I was visiting - not that it really matters.

The important thing is that I am protected on both fronts.

 

Yep, trust your ISP, and try to keep the computer clean.

 

If you are using Tor exclusively then there is no need to worry about wireless encryption - Tor's encryption (3 levels of AES when it exits your PC) is far stronger. No vulnerabilties are known for AES currently (though if someone at the National Security Agency would care to differ, by all means spill the beans...) so the only way to "crack" it is by brute force, trying every possible key combination (which is 2 to the power 128 for 128-bit AES - see Coding Horror: Brute Force Key Attacks Are for Dummies for what this means).

As for a "man in the middle" attack, since Tor routes your traffic through 3 nodes, it would be necessary for someone to implant 3 "men in the middle" and for your connection to select all 3 for this method to work. Even then, the Tor client will select another path every 10 minutes so the attacker would have to supply a large number of Tor servers to have even a modest chance of monitoring any user's traffic.

 

the code book explains all about Enigma, key exchanges, crypto etc it's not too technical, but good.
http://www.simonsingh.net/The_Code_Book.html

here's a video -
http://video.google.com/videoplay?docid=4836268372844313245

 

Thanks for the video iceni60

 

Great info! Thanks Paranoid.

I've read a fair amount of literature on Tor but I never really quite 'got it'. Your description is crystal clear.

 

I thought the Vidalia bundle was already preconfigured

It looks like Tor uses 3 processes on a PC instead of 1 (which I figured would be for the initial 'hop').

 

A Tor/Privoxy/Vidalia bundle is offered as an option.

There should only be one Tor process (plus one for Privoxy and/or Vidalia). Extra instances of Tor will fail (due to not being able to use the ports taken by the first Tor process) so should be shut down.

 

The Tor/Provoxy/Vidalia bundle is preconfigured from what I understand. I'll look into the settings to confirm.

As for the 3 process, what I meant to say is that Tor makes connections to 3 different remote IP addresses when viewing Network activity.

 

That will be for the entry node to each of 3 routes then (one is created in advance for use when the others fail since it does take a few seconds to establish).