background preloader

Tor and HTTPS

Tor and HTTPS
Click the "Tor" button to see what data is visible to eavesdroppers when you're using Tor. The button will turn green to indicate that Tor is on.Click the "HTTPS" button to see what data is visible to eavesdroppers when you're using HTTPS. The button will turn green to indicate that HTTPS is on.When both buttons are green, you see the data that is visible to eavesdroppers when you are using both tools.When both buttons are grey, you see the data that is visible to eavesdroppers when you don't use either tool.Potentially visible data includes: the site you are visiting (SITE.COM), your username and password (USER/PW), the data you are transmitting (DATA), your IP address (LOCATION), and whether or not you are using Tor (TOR). Related:  DarknetVeille technologique - Deep WEB

The New Yorker | Strongbox Our privacy promise The New Yorker's Strongbox is designed to let you communicate with our writers and editors with greater anonymity and security than afforded by conventional e-mail. When you visit or use our public Strongbox server, The New Yorker and our parent company, Condé Nast, will not record your I.P. address or information about your browser, computer, or operating system, nor will we embed third-party content or deliver cookies to your browser. Strongbox servers are under the physical control of The New Yorker and Condé Nast in a physically and logically segregated area at a secure data center. Strongbox servers and network share no elements in common with The New Yorker or Condé Nast infrastructure. Strongbox is designed to be accessed only through a “hidden service” on the Tor anonymity network, which is set up to conceal both your online and physical location from us and to offer full end-to-end encryption for your communications with us.

On the Internet, nobody knows you're a dog Peter Steiner's cartoon, as published in The New Yorker History[edit] Peter Steiner, a cartoonist and contributor to The New Yorker since 1979,[5] said the cartoon initially did not get a lot of attention, but that it later took on a life of its own, and he felt similar to the person who created the "smiley face".[1] In fact, Steiner was not that interested in the Internet when he drew the cartoon, and although he did have an online account, he recalled attaching no "profound" meaning to the cartoon; it was just something he drew in the manner of a "make-up-a-caption" cartoon.[1] In response to the comic's popularity, he stated, "I can't quite fathom that it's that widely known and recognized."[1] Context[edit] The cartoon marks a notable moment in the history of the Internet. The cartoon symbolizes an understanding of Internet privacy that stresses the ability of users to send and receive messages in general anonymity. In popular culture[edit] See also[edit] References[edit]

Almost Everyone Involved in Developing Tor was (or is) Funded by the US Government “The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, “Oh, it’s another CIA agent.” If those are the only people using the network.” —Roger Dingledine, co-founder of the Tor Network, 2004 In early July, hacker Jacob Appelbaum and two other security experts published a blockbuster story in conjunction with the German press. Internet privacy activists and organizations reacted to the news with shock. But the German exposé showed Tor providing the opposite of anonymity: it singled out users for total NSA surveillance, potentially sucking up and recording everything they did online. To many in the privacy community, the NSA’s attack on Tor was tantamount to high treason: a fascist violation of a fundamental and sacred human right to privacy and free speech. The Electronic Frontier Foundation believes Tor to be “essential to freedom of expression.” NSA? Tor at the NSA?

Breaker 101: An intensive online web security course – I Today I'm proud to announce a first-of-its-kind web security course. Spanning 12 intensive weeks, this course goes well beyond what's possible in traditional trainings and will transform you into a web security professional. Note: this is not in any way affiliated with my employer. My goal with this course is to take you from web developer to web security professional. You will know common (and uncommon) vulnerabilities, how to discover them, how to exploit them, and how to protect against them. By the end of the 12-week course, you will be in a good position to build secure products, work as a security consultant, and generally break everything that comes across your desk. There are no written tests or fill-in-the-blanks homework. Security professionals are more in demand than ever; whether you're looking to move up as a developer or jump into the security field, you will get your money's worth. As mentioned before, you will be finding bugs on day one. Week 1 Week 2 Week 3 Week 4 Week 5 Week 6

90 percent of Tor keys can be broken by NSA: what does it mean? Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM). This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic. However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach. But the good news is that, as the ProPublica article mentioned (quoting whistleblower Edward Snowden), "Properly implemented strong crypto systems are one of the few things that you can rely on."

Who uses Tor? Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. We need your good Tor stories! Normal people use Tor They protect their privacy from unscrupulous marketers and identity thieves. Journalists and their audience use Tor Reporters without Borders tracks Internet prisoners of conscience and jailed or harmed journalists all over the world. Law enforcement officers use Tor Online surveillance: Tor allows officials to surf questionable web sites and services without leaving tell-tale tracks. Activists & Whistleblowers use Tor Human rights activists use Tor to anonymously report abuses from danger zones. High & low profile people use Tor Does being in the public spotlight shut you off from having a private life, forever, online? Business executives use Tor Bloggers use Tor Militaries use Tor Tor Tip

Onion Routing: Our Sponsors This research was supported in part at NRL's Center for High Assurance Computer Systems (CHACS) by: Office of Naval Research (ONR), Basic R&D work in addition to support for the coding of all generation systems (0,1, and 2). Support for deployment of generation 2 (Tor) testbed and open source development site. Historical page reflecting as of 2005, not regularly maintained. SSH tricks Why SSH? As recently as a 2001, it was not uncommon to log in to a remote Unix system using telnet. Telnet is just above netcat in protocol sophistication, which means that passwords were sent in the clear. As wifi proliferated, telnet went from security nuissance to security disaster. As an undergrad, I remember running ethereal (now wireshark) in the school commons area, snagging about a dozen root passwords in an hour. SSH, which encrypts and authenticates connections, had been in development since 1995, but it seemed to become adopted nearly universally and almost overnight around 2002. It is worth configuring SSH properly: per-user configuration is in ~/.ssh/config; system-wide client configuration is in /etc/ssh/ssh_config. Key-based, passwordless authentication Key-based passwordless authentication makes it less cumbersome for other programs and scripts to piggyback atop SSH, since you won't have to re-enter your password each time. To set this up, first log in to the client machine.

dedis@yale | A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating Relays Mainak Ghosh, Miles Richardson, Bryan FordYale University Rob JansenU.S. Naval Research Laboratory 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014) Abstract The Tor network relies on volunteer relay operators for relay bandwidth, which may limit its growth and scaling potential. Paper: PDF This material is based upon work supported by the Defense Advanced Research Agency (DARPA) and SPAWAR Systems Center Pacific, Contract No. L’internet et les « pédo-nazis » : le best of J'en avais rêvé, Stéfan l'a fait : sur son blog, 36 15 ma vie, il a compilé une dizaine de reportages passés aux JT de France Télévision dans les années 90, qu'il a débusqué dans les archives de l'Ina et qui tous présentent l'internet comme un repère de pédophiles, de nazis, de trafiquants de drogue et de médicaments, de terroristes aussi. Bref, de pédo-nazis, comme on avait fini par les surnommer en cette fin de siècle dernier. Au risque de choquer certains : non seulement c'est (bien évidemment très -très très- exagéré), mais c'est tant mieux, et on aurait tort de s'en priver, pour la simple et bonne raison que le fait qu'ils se montrent permet, aussi, de les débusquer (voir aussi le billet que j'avais déjà écrit à ce sujet : Les pédophiles sont sur le Net. Nous aussi. Trêve de bavardage, passons maintenant à la télévision, et à l'excellent billet de Stéfan, qu'il m'a autorisé à reproduire ici-bas : Scandale sur internet

Darknet, la face cachée du web Si vous vous intéressez au web et à son environnement, alors le web profond est un domaine qui devrait attirer votre curiosité. Le Darknet est un sujet complexe et à ne pas mettre entre toutes les mains vu la présence de contenu plus qu’illicite… Quand vous naviguez sur le web vous n’avez en faite accès qu’à une partie infime d’Internet avec les moteurs de recherche comme Google ou Yahoo. Ceux sont des sites web cryptés et l’ont en compte 500 fois plus que que sur le web traditionnel. Il existe donc un Internet parallèle sans aucune limite appelé Le Darknet pour les plus anglophones. Je parle ici d’un Internet sans aucune limite ni protection ou encradrement car le darknet permet de naviguer dans un anonymat les plus total, aucune identification n’est possible. Pourquoi le Darknet a-t-il été créé ? Le Darknet a été créé à l’origine pour aider les dissidents chinois à communiquer entre eux sans pouvoir être identifié. Les dérives du Darknet Comment aller sur le Darknet ? Arnaud OLIVIER

Keeping E-mail Private (Revisited) | Art & Logic Blog Image via About a year ago, I wrote a post titled “Keeping E-mail Private“. Thinking back over the last five months, my advice seems woefully inadequate. Threat modeling is a tool which allows us to decide which trade-offs we can make. When we talk about security, it is helpful to know what information we want to secure and what threats exist to the security of the information. In the end, it comes down to a question of what information you want to protect and what the threats are to that information. Threat Modeling in Software Design By the way, threat modeling is not just something you do when you want to protect your e-mail address. A few years ago, I worked on a game for a large software company. A Simple Example Suppose I have an Ubuntu 12.04 LTS Server running inside a virtual machine at a cloud server provider. Target: Static Web Site I’ve chosen to discuss a static web site to avoid the rabbit trail of security for web programming. Like this:

A portable router that conceals your Internet traffic The news over the past few years has been spattered with cases of Internet anonymity being stripped away, despite (or because) of the use of privacy tools. Tor, the anonymizing “darknet” service, has especially been in the crosshairs—and even some of its most paranoid users have made a significant operational security (OPSEC) faux pas or two. Hector “Sabu” Monsegur, for example, forgot to turn Tor on just once before using IRC, and that was all it took to de-anonymize him. (It also didn’t help that he used a stolen credit card to buy car parts sent to his home address.) If hard-core hacktivists trip up on OPSEC, how are the rest of us supposed to keep ourselves hidden from prying eyes? At Def Con, Ryan Lackey of CloudFlare and Marc Rogers of Lookout took to the stage (short their collaborator, the security researcher known as “the grugq,” who could not attend due to unspecified travel difficulties) to discuss common OPSEC fails and ways to avoid them. Counter-surveillance for everyone