Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fact check my understanding please?


  • Please log in to reply
2 replies to this topic

#1 forthepeople

forthepeople

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:00 PM

Posted 27 May 2017 - 06:41 PM

I'm building a website where I need to protect the anonymity of the users. Not most important, but I would also ensure my own anonymity as a host, but if I get found out that is okay. I'm hosting a grievance form for people who may be retaliated against if they go through the channels currently provided to them. Worse than this fact they're complaints will go ignored and hidden if they are severe enough. I am going to be the middle-man between the organization and my peers so ensure that all complaints are never covered up and resolved by the proper authorities.

 

 I understand that Hidden services (Onion Services) have a long list of protective benefits. I also understand that if not implemented properly by myself these benefits will be void. I also understand that because of end user error by people who do not understand how to protect themselves using these tools, my service may be rendered useless. I think I have most things right but I would like to fact check my assumptions about what I think doing will work efficiently. I also feel my implementations may be overkill and some may actually conflict with others rendering them insecure.

 

1.How they will login to my service

I need to let people access my service somehow right? I think using a hidden service may be over kill. This would limit the amount of people who would use it because some won't bother going through the task of downloading tor browser. Some will not have access to a computer, only a cell phone, which is even more complicated for some to get on onion services. Even if this were not a truth and they used the tor browser their devices won't be secure. I consider running a onion service regardless because I understand there is a service that allows people to use a special domain to view these services from the clearweb. This sounds stupid to me because I don't know who intercepts that traffic for this to happen, reducing or probably killing security completely. Am I right to think its better to use the regular old internet and buy hosting from recommended/trusted hosting?

 

2.Securing their identity

If the people who I'm trying to protect my peers from decide to attack my website (unlikely but a concern) the only thing they'll see is the information about the device who connects to it. It's far fetched that this will happen but I need to bring this up just because why not? I need to keep their input on my website encrypted and anonymous. They'll have access to an available forum that is highly restricted and moderated in user content because they may post things that identify them. I know the authorities I need to protect them from will actively monitor every post made. The grievance submission form will be simple. It asks a set of questions and has them read what is or isn't a valid grievance. It will offer them the option to submit a grievance without or without correspondence. All submissions will be encrypted and sent to a mailbox server for organization. I will generate a Public and Private PGP key and in theory their message will be encrypted on the page than sent to my mailbox server.

 

With correspondence

If they need to discuss their problem and choose to have correspondence I need to somehow open a channel to provide encryption. I think that I can setup an inbox service that is separate from the forum that will automatically encrypt messages. I'm not sure how to do this.

 

This service will eventually be available for thousands of people. When I expand it will be a concern how to manage it all but that's not to worry now. I just need to make this simple service for 100 people as simple to use as possible for the user and they will not have any knowledge of security at all.

 

 



BC AdBot (Login to Remove)

 


m

#2 arlattimor

arlattimor

  • Members
  • 588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Beaufort, SC.
  • Local time:06:00 PM

Posted 30 July 2017 - 02:24 AM

First off did you register your domain privately with your domain registrar? That way if someone decides to do a whois lookup on your domain it will be private.


A. Lattimore

CCNA, CWNA, MCITP, MCSA, MCT, MCP, Security+, Server+, Linux+, Network+, A+, CNST

Network Security Engineer

 


#3 managel

managel

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:00 PM

Posted 30 September 2017 - 04:36 AM

Host your website on the TOR network.  That's what is used for anonymity of users and website owners. 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users