Comments are now closed due to spamming and personal attacks.

Twitter: https://twitter.com/huffpoclub

Breaking News

INTRODUCTION TO SECURE COMMUNICATION – TOR, HTTPS, SSL. by Edward Snowden

Posted on Monday, 11th August 2014 @ 11:05 AM by Text Size A | A | A

Through my research I have put together some security measures that should be considered by everyone. The reason I put this together is mainly for the newbies of this forum. But if I can help anyone out, then I am grateful for this. I would like to start out by saying, if you are reading like, you are likely a Silk Road user. If this is the case, then the #1 thing you must be using to even access this form is Tor. Tor will provide you with a degree of anonymity by using an 128-bit AES (Advanced Encryption Standard). There has been some debate as to whether or not the NSA can crack this code, and the answer is likely yes. This is why, you should never send anything over Tor that you aren’t comfortable sharing with the entire world unless you are using some sort of PGP encryption which we will talk about later.

Communication from your computer, to the internet relies on an entry node which basically “enters your computer” into the Tor network. This entry node communicates with your computer, this entry node knows your IP address. The entry node then passes your encrypted request onto the relay node. The relay node communicates with the entry node and the exit node but does not know your computer’s IP address. The exit node, is where your request is decrypted and sent to the internet. The exit node does not know your computer’s IP, only the IP of the relay node. Using this model of 3 nodes it makes it harder, but not impossible to correlate your request to your original IP address.

The problem comes obviously when you are entering plain text into TOR because anybody can set up an exit node. The FBI can set up an exit node, the NSA, or any other foreign government, or any malicious person who may want to steal your information. You should not be entering any sensitive data into any websites, especially when accessing them over TOR. If any of the nodes in the chain are compromised, and some likely are, and the people in charge of those compromised nodes have the computing power to decrypt your request, then you better hope it wasn’t anything sensitive.

So what can we do to fix this? Well, luckily we are now having more and more servers that are offering something called Hidden services. You can easily recognize these services by the address .onion. These services offer what’s called end-to-end encryption. What this does is take the power out of the compromised exit nodes and put them back in your hands. The web server of the hidden service now becomes your exit node, which means the website you are visiting is the one decrypting your message, not some random exit node ran by a potential attacker. Remember, the exit node has the key to decrypt your request. The exit node can see what you are sending in clear text once they decrypt it. So if you are entering your name and address into a field, the exit node has your information. If you are putting a credit card, a bank account, your real name, even your login information, then you are compromising your identity.

Another step you can take, is to only visit websites that use something called HTTP Secure. You can tell if the website you are visiting is using HTTP Secure by the prefix at the beginning of the address. If you see https:// then your website is using HTTP Secure. What this does is encrypts your requests so that only the server can decrypt them, and not somebody eavesdropping on your communication such as a compromised Tor exit node. This is another form of end-to-end encryption. If somebody were to intercept your request over HTTP Secure, they would see encrypted data and would have to work to decrypt it.

Another reason you want to use HTTPS whenever possible, is that malicious Tor nodes can damage or alter the contents passing through them in an insecure fashion and inject malware into the connection. This is particularly easier when you are sending requests in plain text, but HTTPS reduces this possibility. You must be made aware however, that HTTPS can also be currently cracked depending on the level of the key used to encrypt it. When you visit a website using HTTPS, you are encrypting your request using their public key and they are decrypting it using their private key. This is how cryptography works. A public key is provided to those who want to send an encrypted message and the only one who can decrypt is the one with the private key.

Unfortunately, many websites today are still using private keys that are only 1,024 bits long which in today’s world are no longer enough. So you need to make sure you find out which level of encryption the website you are visiting uses, to make sure they are using at a minimum 2,048, if not 4,096 bits. Even doing all of this unfortunately is not enough, because we have another problem. What happens if the web server itself has become compromised? Maybe your TOR nodes are clean, maybe you have used HTTPS for all your requests, but the web server itself of the website you are visiting has been compromised. Well then all your requests are again, as good as plain text.

With that being said, this will conclude the first post in this series of the steps we can take to protect our privacy online, to remain anonymous and maintain our freedom.

 

 

 

NSA and GCHQ agents ‘leak Tor bugs’, alleges develope

British and American intelligence agents attempting to hack the “dark web” are being deliberately undermined by colleagues, it has been alleged.

Spies from both countries have been working on finding flaws in Tor, a popular way of anonymously accessing “hidden” sites.

But the team behind Tor says other spies are tipping them off, allowing them to quickly fix any vulnerabilities.

The agencies declined to comment.

The allegations were made in an interview given to the BBC by Andrew Lewman, who is responsible for all the Tor Project’s operations.

He said leaks had come from both the UK Government Communications Headquarters (GCHQ) and the US National Security Agency (NSA).

By fixing these flaws, the project can protect users’ anonymity, he said.

“There are plenty of people in both organisations who can anonymously leak data to us to say – maybe you should look here, maybe you should look at this to fix this,” he said. “And they have.”

Mr Lewman is part of a team of software engineers responsible for the Tor Browser – software designed to prevent it being possible to trace users’ internet activity. The programs involved also offer access to otherwise hard-to-reach websites, some of which are used for illegal purposes.

The dark web, as it is known, has been used by paedophiles to share child abuse imagery, while online drug marketplaces are also hosted on the hidden sites.

The Tor Browser is designed to allow people to use the internet anonymously

Mr Lewman said that his organisation received tips from security agency sources on “probably [a] monthly” basis about bugs and design issues that potentially could compromise the service.

However, he acknowledged that because of the way the Tor Project received such information, he could not prove who had sent it.

“It’s a hunch,” he said. “Obviously we are not going to ask for any details.

“You have to think about the type of people who would be able to do this and have the expertise and time to read Tor source code from scratch for hours, for weeks, for months, and find and elucidate these super-subtle bugs or other things that they probably don’t get to see in most commercial software.

“And the fact that we take a completely anonymous bug report allows them to report to us safely.”

He added that he had been told by William Binney, a former NSA official turned whistleblower, that one reason NSA workers might have leaked such information was because many were “upset that they are spying on Americans”.

In response, a spokesman from the NSA public affairs office said: “We have nothing for you on this one.”

The Edward Snowden leaks have indicated that the NSA has tried to spy on Tor activity

A spokesman for GCHQ said: “It is long-standing policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework, which ensures that our activities are authorised, necessary and proportionate.”

The BBC understands, however, that GCHQ does attempt to monitor a range of anonymisation services to identify and track down suspects involved in the online sexual exploitation of children, among other crimes.

The reporter Glenn Greenwald has also published several articles, based on documents released by the whistleblower Edward Snowden, alleging that both agencies have attempted to crack Tor as part of efforts to prevent terrorism.

A security expert who has done consultancy work for GCHQ said he was he was amazed by Mr Lewman’s allegation, but added that it was not “beyond the bounds of possibility.

“It’s not surprising that agencies all over the world will be looking for weaknesses in Tor,” said Alan Woodward.

“But the fact that people might then be leaking that to the Tor Project so that it can undo it would be really very serious.

“So if that is happening, then those organisations are going to take this very seriously.”

Illegal activity

Tor was originally designed by the US Naval Research Laboratory, and continues to receive funding from the US State Department.

The ability to unmask Tor’s users would undermine the reason people use the service

It is used by the military, activists, businesses and others to keep communications confidential and aid free speech.

But it has also been used to organise the sale of illegal drugs, host malware, run money laundering services, and traffic images of child abuse and other illegal pornography.

Mr Lewman said that his organisation provided advice to law enforcement agencies, including the FBI and the UK Serious Crime Agency (Soca), to help them understand how Tor worked in order to aid their investigations.

But he criticised cyberspies who carried out orders to undermine Tor’s protections.

“We are around 30 people in total, and think of the NSA or GCHQ with their tens of thousands of employees and billions of pounds of budget,” he said.

“The odds there are obviously in their favour.

“It’s sort of funny because it also came out that GCHQ heavily relies on Tor working to be able to do a lot of their operations.

“So you can imagine one part of GCHQ is trying to break Tor, the other part is trying to make sure it’s not broken because they’re relying on it to do their work.

“So it’s typical within governments, or even within large agencies, that you have two halves of the same coin going after different parts of Tor. Some protect it, some to try to attack it.”

The Tor Browser is based on Firefox and is available for Windows, Mac and Linux PCs

He added that the Tor browser had been downloaded 150 million times in the past year, and that it currently supported about 2.5 million users a day.

“Hundreds of millions of people are now relying on Tor,” Mr Lewman said, “in some cases in life-and-death situations. And that’s what we pay attention to.

“We would be very sad if anyone was arrested, tortured and killed because of some software bug or because of some design decision we made that put them at risk.”

Mr Lewman will deliver the keynote speech at the Broadband World Forum event in Amsterdam in October.

You can read a full transcript of the interview here.

Who are the cyberspies?

The Government Communications Headquarters (GCHQ) employs about 5,000 people and has two key roles:

  • To identify threats from intercepted communications. It says these include terrorism, the spread of nuclear weapons, regional conflicts around the world and threats to the economic prosperity of the UK.
  • To serve as an authority on information assurance – meaning that it advises the government and organisations running the UK’s critical infrastructure how to safeguard their systems from interference and disruption.

It dates back to 1919, when it was called the Government Code and Cypher School. It adopted its current name in 1946. The foreign secretary is answerable in Parliament for GCHQ’s work.

The National Security Agency (NSA) gathers intelligence for the US government and military leaders.

It is also has the task of preventing foreign adversaries gaining access to classified national security information.

It employs about 35,000 workers, both civilians and military.

Related News On HPUB:

... post your own so far 0 comments

Comments

No comments yet.

Leave a Comment

You must be logged in to post a comment.

 

Breaking News