background preloader

Tor and HTTPS

Tor and HTTPS
<p>Please enable Javascript in your browser if you want this to be interactive.</p><p><strong>No Tor and No HTTPS</strong><br /><img src="/files/tor-https-0.png" /></p><p><strong>No Tor and HTTPS</strong><br /><img src="/files/tor-https-1.png" /></p><p><strong>Tor and No HTTPS</strong><br /><img src="/files/tor-https-2.png" /></p><p><strong>Tor and HTTPS</strong><br /><img src="/files/tor-https-3.png" /></p> Click the "Tor" button to see what data is visible to eavesdroppers when you're using Tor. The button will turn green to indicate that Tor is on.Click the "HTTPS" button to see what data is visible to eavesdroppers when you're using HTTPS.

Related:  Veille technologique - Deep WEBDarknet

Almost Everyone Involved in Developing Tor was (or is) Funded by the US Government “The United States government can’t simply run an anonymity system for everybody and then use it themselves only. Because then every time a connection came from it people would say, “Oh, it’s another CIA agent.” If those are the only people using the network.” On the Internet, nobody knows you're a dog Peter Steiner's cartoon, as published in The New Yorker History[edit] Peter Steiner, a cartoonist and contributor to The New Yorker since 1979,[6] said the cartoon initially did not get a lot of attention, but later took on a life of its own, and that he felt similar to the person who created the "smiley face".[1] In fact, Steiner was not that interested in the Internet when he drew the cartoon, and although he did have an online account, he recalled attaching no "profound" meaning to the cartoon; it was just something he drew in the manner of a "make-up-a-caption" cartoon.[1] In response to the comic's popularity, he stated, "I can't quite fathom that it's that widely known and recognized."[1]

The New Yorker Our privacy promise The New Yorker's Strongbox is designed to let you communicate with our writers and editors with greater anonymity and security than afforded by conventional e-mail. When you visit or use our public Strongbox server, The New Yorker and our parent company, Condé Nast, will not record your I.P. address or information about your browser, computer, or operating system, nor will we embed third-party content or deliver cookies to your browser. Strongbox servers are under the physical control of The New Yorker and Condé Nast in a physically and logically segregated area at a secure data center. Strongbox servers and network share no elements in common with The New Yorker or Condé Nast infrastructure.

[PFS] SSL: Intercepted today, decrypted tomorrow [September 2013: The Netcraft extension — for Firefox, Google Chrome, and Opera — now displays whether or not PFS is supported] Millions of websites and billions of people rely on SSL to protect the transmission of sensitive information such as passwords, credit card details, and personal information with the expectation that encryption guarantees privacy. However, recently leaked documents appear to reveal that the NSA, the United States National Security Agency, logs very high volumes of internet traffic and retains captured encrypted communication for later cryptanalysis.

Onion Routing: Our Sponsors This research was supported in part at NRL's Center for High Assurance Computer Systems (CHACS) by: Office of Naval Research (ONR), Basic R&D work in addition to support for the coding of all generation systems (0,1, and 2). Support for deployment of generation 2 (Tor) testbed and open source development site. Who uses Tor? Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. 90 percent of Tor keys can be broken by NSA: what does it mean? Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM). This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic. However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach. But the good news is that, as the ProPublica article mentioned (quoting whistleblower Edward Snowden), "Properly implemented strong crypto systems are one of the few things that you can rely on."

[RSA, PFS] Facebook's outmoded Web crypto opens door to NSA spying Secret documents describing the National Security Agency's surveillance apparatus have highlighted vulnerabilities in outdated Web encryption used by Facebook and a handful of other U.S. companies. Documents leaked by former NSA contractor Edward Snowden confirm that the NSA taps into fiber optic cables "upstream" from Internet companies and vacuums up e-mail and other data that "flows past" -- a security vulnerability that "https" Web encryption is intended to guard against. But Facebook and a few other companies still rely on an encryption technique viewed as many years out of date, which cryptographers say the NSA could penetrate reasonably quickly after intercepting the communications. Facebook uses encryption keys with a length of only 1,024 bits, while Web companies including Apple, Microsoft, Twitter, Dropbox, and even Myspace have switched to exponentially more secure 2,048-bit keys. The NSA's budget is estimated to be at least $10 billion a year. "Why use specialized hardware?"

A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating Relays Mainak Ghosh, Miles Richardson, Bryan FordYale University Rob JansenU.S. Naval Research Laboratory 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014) How does the NSA break SSL? A few weeks ago I wrote a long post about the NSA's 'BULLRUN' project to subvert modern encryption standards. I had intended to come back to this at some point, since I didn't have time to discuss the issues in detail. But then things got in the way. What Was Silk Road? Refresh Your Memory as Ross Ulbricht Goes to Trial Ross Ulbricht’s trial for his alleged role as “Dread Pirate Roberts,” the owner of the shadowy online market place Silk Road, is scheduled to begin Tuesday. Ulbricht was indicted last year for operating the site, which allowed users to buy and sell drugs anonymously. He was charged with narcotics conspiracy, engaging in criminal enterprise, conspiracy to commit computer hacking and money laundering conspiracy.

A portable router that conceals your Internet traffic The news over the past few years has been spattered with cases of Internet anonymity being stripped away, despite (or because) of the use of privacy tools. Tor, the anonymizing “darknet” service, has especially been in the crosshairs—and even some of its most paranoid users have made a significant operational security (OPSEC) faux pas or two. Hector “Sabu” Monsegur, for example, forgot to turn Tor on just once before using IRC, and that was all it took to de-anonymize him. (It also didn’t help that he used a stolen credit card to buy car parts sent to his home address.) If hard-core hacktivists trip up on OPSEC, how are the rest of us supposed to keep ourselves hidden from prying eyes? At Def Con, Ryan Lackey of CloudFlare and Marc Rogers of Lookout took to the stage (short their collaborator, the security researcher known as “the grugq,” who could not attend due to unspecified travel difficulties) to discuss common OPSEC fails and ways to avoid them.

Fighting Cargo Cult – The Incomplete SSL/TLS Bookmark Collection Throughout the recent months (and particularly: weeks), people have asked me how to properly secure their SSL/TLS communication, particularly on web servers. At the same time I’ve started to look for good literature on SSL/TLS. I noticed that many of the “guides” on how to do a good SSL/TLS setup are actually cargo cult. Cargo cult is a really dangerous thing for two reasons: First of all, security is never a one-size-fits-all solution. Your setup needs to work in your environment, taking into account possible limitation imposed by hardware or software in your infrastructure. And secondly, some of those guides are outdated, e.g. they do neglect the clear need for Perfect Forward Secrecy, or use now-insecure ciphers.