|
Home > Archive > Anonymous Servers > June 2005 > YES!!! TLS through Hidden Services!!!
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
YES!!! TLS through Hidden Services!!!
|
|
| herehere 2005-06-12, 2:45 am |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hello all,
Finally I figured it out!
This message was sent through a route of QS > TLS > Tor > Hidden
Services > M2N > alt.privacy.anon-server.
The following directions are advanced and are not suggested for
people new to remailing. Remailing with MixMaster, QS or JBN2-
Panta Mod "out-of-the-box" is very secure and anonymous. Most
people do not need the level of security and anonymity that TLS
and Hidden Services offer.
I have been trying to route my remailing connection for SMTP,
M2N, HTTPS Stats and NNTPS as so:
QS > TLS > Tor > Panta's Hidden Services > SMTP/M2N, HHTPS Stats
and NNTPS
1. A route of 'QS > TLS > Tor >' does not address some security
and anonymity issues that Hidden Services does address.
2. A route of 'QS > Tor > Hidden Services >' does not address
some security and anonymity issues that TLS does address.
It has always seemed to me that a combination of these two
routes would be ideal. A combination of TLS and Hidden Services
deals with nearly all security and anonymity issues in regards
to remailing that neither alone deal with.
Use of Tor, TLS and Hidden Services in combination should
provide the 'strongest' security and anonymity for remailing
possible.
I have been playing with SocksCap and Stunnel and I think I have
everything routed correctly. At first I though I would need to
use Socks4a to access Hidden Services, but as it turns out
Socks5 works great (as long as DNSlookup is done at the end by
Tor).
As of yet I have been unable to route an NNTPS connection
through TLS and Hidden Services, I am still playing with NNTPS.
Below I describe how to use QuickSilver with a route of TLS into
Hidden Services (the NNTPS section is not functional yet):
***Note: I am using QS version '1.2.6b2'; non-beta
QuickSilver settings:
> SMTP/M2N Headers:
>
> Host: 127.0.0.1:2525
> From: foo@bar.com
> From: herehere
> Chain: panta,*,*,thrasher; copies=6
>
> No proxies are used.
HHTPS Stats Updates:
> QS > Tools > Remailers >
>
> mlist.txt: http://localhost:4444/stats/stats/mlist.txt
> pubring.mix: http://localhost:4444/stats/pubring.mix
> rlist.txt: http://localhost:4444/stats/stats/rlist.html
> pubring.asc: http://localhost:4444/stats/allkeys.txt
>
> Proxy:
>
> Proxy Host: 127.0.0.1
> Port: 4444
> Socks Level: <none>
Stunnel settings:
> debug = 7
> CAfile = banana.pem
> output = log.txt
> client = yes
> options = all
> RNDbytes = 2048
> RNDfile = bananarand.bin
> RNDoverwrite = yes
> #
> [Panta Hidden Services HTTPS Stats]
> accept = 4444
> connect = rjgcfnw4sd2jaqfu.onion:443
> delay = no
> #
> [Panta Hidden Services TLS host]
> protocol = smtp
> accept = 2525
> connect = rjgcfnw4sd2jaqfu.onion:25
> delay = no
> #
> [Panta Hidden services NNTPS]
> accept = 119
> connect = rjgcfnw4sd2jaqfu.onion:563
> delay = no
I was unsure if the SMTP Stunnel setting of
"rjgcfnw4sd2jaqfu.onion:25" was encrypted with TLS. I checked
the Stunnel log files and the SMTP connection is routed through
Panta's TLS services; as far as I can tell.
Again, NNTPS is not working yet; soon though I hope to figure it
out.
Please play with this route and tell me if I posted any
incorrect information.
Please let me know what you think!
Have a great day!!!
- ---
Question Everything...Stay Safe...herehere
Contact Info:
herehere <at> nym.panta-rhei.eu.org
- ---
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQA/ AwUBQquEGMeAaJ6NbaCwEQMKAwCgvSyw2XtBADyc
loIGFhmDzz10V9IAoNx/
pVudSh1riGtlPJ1zMC/SmSS2
=8oNx
-----END PGP SIGNATURE-----
| |
| Italy Anonymous Remailer 2005-06-12, 7:45 am |
| On Sun, 12 Jun 2005, herehere <thrasher@reece.net.au> wrote:
>I have been trying to route my remailing connection for SMTP,
>M2N, HTTPS Stats and NNTPS as so:
>
>QS > TLS > Tor > Panta's Hidden Services > SMTP/M2N, HHTPS Stats
>and NNTPS
>
>1. A route of 'QS > TLS > Tor >' does not address some security
>and anonymity issues that Hidden Services does address.
Such as?
>2. A route of 'QS > Tor > Hidden Services >' does not address
>some security and anonymity issues that TLS does address.
Such as?
>It has always seemed to me that a combination of these two
>routes would be ideal. A combination of TLS and Hidden Services
>deals with nearly all security and anonymity issues in regards
>to remailing that neither alone deal with.
You keep mentioning these issues but aren't saying what they are.
What are the issues?
>Use of Tor, TLS and Hidden Services in combination should
>provide the 'strongest' security and anonymity for remailing
>possible.
Only until you learn something new and have to add that to your
set up too 
>I have been playing with SocksCap and Stunnel and I think I have
>everything routed correctly. At first I though I would need to
>use Socks4a to access Hidden Services, but as it turns out
>Socks5 works great (as long as DNSlookup is done at the end by
>Tor).
Socks5 does everything that socks4a can do and more. If you think
that you need 4a to do something you can always do it with Socks5
too. Tor lists 4a as needed simply because that's the minimum
requirement.
>Again, NNTPS is not working yet; soon though I hope to figure it
>out.
AFAIK panta doesn't offer NNTPS, just NNTP. The additional encryption
offered by a hidden service gives you the same gains that NNTPS would
have anyway so there's no real need.
| |
| herehere 2005-06-12, 7:45 am |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
In article <QHRVO19P38515.4781134259@anonymous.poster>
Italy anonymous remailer wrote:
> On Sun, 12 Jun 2005, herehere <thrasher@reece.net.au> wrote:
>
> Such as?
Some examples:
A. DOS attack
B. Traffic Anylasis (via. Tor)
C. Anonymity issues with Tor's low-latency
D. Reliance *soly* upon Tor and TLS to secure and anonymize your
connection to the entry remailier, Host, HHTPS Stat page and
NNTPS dl's.
>
> Such as?
Some examples:
A. End-to-end Host encryption
D. Reliance *soly* upon HS for security, anonymity and TLS
encryption (used by Tor) of the entry remailier, Host, HHTPS
Stat page and NNTP dl's.
E. Possibility of unknown flaws in the imlamintation of TLS
ecnryption used by Onion Route 2:
<http://archives.seul.org/or/talk/Jun-2005/msg00112.html>
F. Intersection and oberservation attacks
>
> You keep mentioning these issues but aren't saying what they are.
> What are the issues?
Some examples:
A. See above
B. Evil Nodes
C. Taffic Anylasis (from meta-data and other sources)
D. DOS Attacks
E. Time Stamps
F. Use of TLS and remailing alone provides your IP to the entry
remailier, Stats page and NNTPS.
FYI, I have posted all of these 'issues' in previous a.p.a-s
threads/posts. For example please see my posts in the a.p.a-s
thead "QS/JBN Naked?".
>
> Only until you learn something new and have to add that to your
> set up too
Well, what is wrong with trying to improve the security and
anonymity of remailing? (ie. Mixminion)
You may like to be complacent but I do not. I enjoy the
challange of learing and I believe there is always a way to
improve everything in life.
>
> Socks5 does everything that socks4a can do and more. If you think
> that you need 4a to do something you can always do it with Socks5
> too. Tor lists 4a as needed simply because that's the minimum
> requirement.
4a is not the minimun requirement; it is the 'preferred' Socks
for one reason: DNSlookup through Tor by default. You *can* use
Socks5 (as I have shown) to access HS but I would rather not use
it. Socks5 can leak your DNSlookup when used with certain
protocols and apps. Which protocols and apps leak DNS info is
still unknown; it is better to use 4a just to be safe.
This statement may be refuted in 'or-talk'; please give examples
in regards to use with HS.
<http://wiki.noreply.org/noreply/The...orFAQ#SOCKSAndD
NS>
[vbcol=seagreen]
>
> AFAIK panta doesn't offer NNTPS, just NNTP. The additional encryption
> offered by a hidden service gives you the same gains that NNTPS would
> have anyway so there's no real need.
HS uses TLS for node encryption; but HS is still brand new and
all the flaws have yet to be found. There are a few issues with
HS's security and anonymity:
See section 4.4: "Location-Hidden Services" in this PDF paper:
<http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ>
This paper has a section that covers some anonymity issues in
regards to hidden services.
The main reason I like to use TLS and HS in conjunction is I do
not want to put all my security and anonymity "eggs" "in one
basket"...do you?
Three questions:
1. Why would you put down a method that can increase the
security and anonymity of remailing? Testing and questioning is
one thing, but you seem annonyed I posted this info; do you have
issues with attempts to improve remailing security and anonymity?
2. What is wrong with adding additional layers of security,
anonymity and encryption; if it is possible why not use it?
- ---
Question Everything...Stay Safe...herehere
Contact Info:
herehere <at> nym.panta-rhei.eu.org
- ---
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQA/ AwUBQqwf78eAaJ6NbaCwEQNxvgCeP9gcO+dhgMj9
8Y0NXWK/ihi9nksAmwTP
S/4RHY9yQsc01Aog2jVREI4h
=xCEW
-----END PGP SIGNATURE-----
| |
| herehere 2005-06-13, 5:47 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hello all,
> This message was sent through a route of QS > TLS > Tor > Hidden
> Services > M2N > alt.privacy.anon-server.
Hello all,
> This message was sent through a route of QS > TLS > Tor > Hidden
> Services > M2N > alt.privacy.anon-server.
I am very curious, has anyone tried this route I describe? I
have been using this route for a few days and I have had zero
problems with the route.
I would really appreciate it if someone could verify this route
works on their machine.
This route should work fine with JBN2-Panta Mod. I am not sure
if it will work if you "roll your own" but I am very curious to
find out if it does.
Does anyone have a (quality) opinion regarding this route? I
would like to hear from some 'regulars', I would love to hear
your opinion on this route.
I am going to update my WiKi's to reflect this new route, I am
going to add a new section detailing this route.
I hope some regulars will try this route and let me know what
they think. I hope I am not the only one using this route as it
affords very strong security and anonymity.
Thanks and I look forward to your opinions,
- ---
Question Everything...Stay Safe...herehere
Contact Info:
herehere <at> nym.panta-rhei.eu.org
- ---
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQA/ AwUBQq2R8ceAaJ6NbaCwEQNHlACg0jSdbA1nvhCr
0tGu3aljsUmcOFUAn2yF
T9CIK/CQ924cSdjV9+zop8/Q
=PCJ2
-----END PGP SIGNATURE-----
|
|
|
|
|