Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TOR, VPN, Browsing Security Question


  • Please log in to reply
22 replies to this topic

#1 okap1

okap1

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 21 December 2014 - 07:41 PM

Newbie looking improve security and privacy/anonimity a bit.. Always start with my browsing habits , browser settings (NoScript, Adblock Plus, Disconnect, etc), Hardware/sw configs (using KIS, MBAM Pro & other s/w for on demand). Also, update regularly...

Question = Is the Tor portable browser or VPN's (eg: Private Internet Access...Cyberghost) any help and how does TOR differ from PIA? Is one preferable over the other/ ( won't even bother asking about Tails & Inverse Path).

Just a regular guy looking to surf without leaving crumbs or revealing personal info.

And them I hear about 'end to end encryption to avoid middleman attacks....how does a noob deal with this?

Someone responded to me (re: TOR & VPN) with the below answer,, suggesting it's all essentially worthless. So, why do tech sites still recommend them? Also heard using TOR now raises red flags with NSA, etc... Confused...

Thanks
-------------------------------------------------------------
"TOR or any other proxy should never be thought of as a security measure. Proxies are ran by any one many of whom do not have your security as a interest. Once your on a proxy they can do any thing they want such as presenting you with a fake log in page for your bank or paypal ebay etc. These fake pages can not be detected by normal anti phishing tools or methods. Do not ever go any where where security is a concern while behind any form of proxy that you do not control. Running your own squid proxy caching or not can be a boost to your security by removing things such as advertisements from 3rd parties on web pages etc. But and I speak from experience here a proxy can cache a web page say the one for pnc bank. At this point a person with only moderate coding skills can now make that page send them your username and pass word or in the case of a online store credit card information. And the bad part is it will or can be made to still allow you to log in or purchase the item etc. You would never know it happened until it was far to late.

Proxies such as tor etc may have some small benefit to your anonymity but with the ability to finger print not only your browser but your os and even your computers hardware even that is questionable today. Even though in a server log it will show the proxies user agent or should web pages can use java script and other methods to gather information about your browser os screen res logged in user name video card even your real ip."



BC AdBot (Login to Remove)

 


#2 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:10:53 AM

Posted 21 December 2014 - 11:29 PM

Personly, TOR used to be good untill the FBI & NSA starting adding their own relays so they could calculate the path for each node that striped the hash value of the encryption (I assume this is how it works, << not a pro at Onion protocol), PIA i just purhased yesterday and have found to be pretty good.

I do NOT want tthe Australian government sniffing and monitoring what i do at ALL. We get ripepd off in the land of OZ, you know its cheaper to buy Adobe CS 6 by flying to america, purchasign it and flying home and you would still have 600 bucks to spare!!!!!!.

 

Yes i use torrents because i get ISO's of the sites, i find it faster to get a iso of a Linux distro off a cluster of nodes than a single server.

 

They (Australian government) can get stuffed, obviously if its bank related i dont use Private internet Access.

PIA do not keep any logs or metadata as some like to call it. nothing is cache'd as far as i could see in their user terms of agreement either.



#3 gavinseabrook

gavinseabrook

  • Members
  • 773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:El Paso
  • Local time:05:53 PM

Posted 21 December 2014 - 11:45 PM

You can also use a VPN Proxy service via out of country connections. Allows you to still keep your same speed and most of the sites even have tests that you can perform to make sure that your connection is not detected/monitored. Seems to work pretty good in my past experience with clients that want to make sure their data is not monitored.


Gavin Seabrook

 


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 AM

Posted 22 December 2014 - 03:11 PM

A VPN proxy and/or TOR is not going to improve your security. It can help with privacy/anonymity. But for that you need to know against whom you want to protect yourself. For example, is it your ISP?


Edited by Didier Stevens, 22 December 2014 - 03:12 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 AM

Posted 22 December 2014 - 03:15 PM

Once your on a proxy they can do any thing they want such as presenting you with a fake log in page for your bank or paypal ebay etc.

 

I don't know what this person was trying to explain you. If you want anonymity, you don't use your credentials. They identify you.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,539 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:11:53 AM

Posted 22 December 2014 - 03:15 PM

 

TOR used to be good untill the FBI & NSA starting adding their own relays

It would seem somebody is playing games with TOR. There are rumours of TOR being taken down.

 

http://www.bleepingcomputer.com/forums/t/560708/cluster-of-tor-servers-taken-down-in-unexplained-outage/#entry3575167



#7 okap1

okap1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 December 2014 - 03:54 PM

Using PIA for privacy.... When I surf I look at articles on various topics from Ukraine to Iran to ISIS, China. Although careful, I would prefer to to be as safe AND as anonymous as possible from anyone. . Using PIA currently along with s/w mentioned in OP.

 

Is TAILS worthwhile ( although they use TOR which I see is having issues....) any good. Or Inverse Path?

 

As a novice, not a primary "A" list target, who roams the web and may accidentally end up in uncharted territory while researching a topic.   I just want to know if these apps help (PIA, etc)



#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 AM

Posted 22 December 2014 - 04:10 PM

Using PIA for privacy.... When I surf I look at articles on various topics from Ukraine to Iran to ISIS, China. Although careful, I would prefer to to be as safe AND as anonymous as possible from anyone. .

 

If you look at such articles on Wikipedia, you don't need VPN or TOR for privacy. Just use HTTPS to connect to Wikipedia.

As you are using an encrypted connection (HTTPS), your ISP will not be able to see what you are reading on Wikipedia, it will only know that you are connected to Wikipedia.

Of course, the people in charge of the Wikipedia infrastructure could know what you are reading.

You can not get privacy from Wikipedia, but you can get anonymity. But TOR is not enough for that. You need to make sure that your browser does not break your anonymity, for example with tracking cookies.

 

Privacy and anonymity are not the same. Simply put, privacy is when people know who you are but don't know what you are doing, and anonymity is when people know what you are doing but don't know who you are.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#9 okap1

okap1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 December 2014 - 04:33 PM

So, (remember, I'm a novice,please be patient..  :)   )  using PIA for relative anonimity and something like the  HTTPS Everywhere would work?

 

oh, forgot....  where does Sandboxie fit in here?

 

Edit: Just read HTTPS Everywhere uses TOR....


Edited by okap1, 22 December 2014 - 04:35 PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 AM

Posted 22 December 2014 - 05:08 PM

I'm not commenting on PIA, I'm not familiar with the services they offer.

 

HTTPS Everywhere only works if the website offers HTTPS.

HTTPS Everywhere does not use TOR. It is a collaboration with The TOR Project, but it does not use the TOR network.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 JohnnyJammer

JohnnyJammer

  • Members
  • 1,117 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:10:53 AM

Posted 22 December 2014 - 06:12 PM

Interesting article there Nick mate.

 

They say if you have nothing to hide you have nothiong to worry about but i disagree heavily with that statement.

I just do not want to be monitored by anyone or as less as possible.

I also get skeptical about HTTPS because lets face it, how many times has encryption been broken through exploitation in recent years and this is only what we know about.

 

To the OP, you will never get %100 security and or annonimity mate sorry, well noton the internet anyway.



#12 okap1

okap1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 22 December 2014 - 08:02 PM

Thanks for all the clarifications.

 

Ok . i get it re:  HTTPS Everywhere & TOR. Also, that nothing is safe. One can only reduce the risks.

 

Basically, what I'd like to know ( re: anonimity & security)  is-

 

1) Does using VPN's (like PIA, Cyberghost, etc) help by keeping one's identiity 1 step removed?  I would think keeping my identity anonymous is one facet of securing myself (of course if someone wants to find me, they will).

2) Is TAILS now compromised? Is it of value with all the other tools it includes?

3) Is Sandboxie a recommended app?

Thanks again



#13 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:12:53 PM

Posted 22 December 2014 - 09:59 PM

A large rar file of pdf files on TOR. http://wikisend.com/download/496112/tor.rar

Example.

Spoiled Onions: Exposing Malicious Tor Exit Relays. 1401.4917.pdf
Can They Hear Me Now? A Security Analysis of Law Enforcement Wiretaps. calea.pdf
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#14 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:53 AM

Posted 23 December 2014 - 01:19 PM

2) Is TAILS now compromised?


What do you mean?

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#15 okap1

okap1
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:08:53 PM

Posted 23 December 2014 - 02:15 PM

Saw these among a dozen others... Doesn't TAILS rely on TOR for all connections?

 

"Is Tor Safe? Anonymous Browser Hacked, With Suspects Keeping Quiet And Privacy Advocates Shaken"

 

http://www.ibtimes.com/tor-safe-anonymous-browser-hacked-suspects-keeping-quiet-privacy-advocates-shaken-1645210

 

http://www.independent.co.uk/life-style/gadgets-and-tech/tor-anonymity-service-compromised-by-unknown-attackers-9639231.html

 

http://article.gmane.org/gmane.network.tor.user/34619






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users