Can You Access .Onion Sites Without Tor Browser?

by Ciphas

(Note: Thanks to Ben Tasker’s Security Blog and traudt.xyz for being references.)

Can you access .onion sites without the Tor Browser? Short answer? Yes, you can – but I don’t recommend it…I cannot stress this enough.

I’ve mentioned Tor2web proxies in a few previous posts, but didn’t elaborate on it much. onionto

In their own words, “Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser.” Tor2web and Web2Tor are reverse proxies which allow clearnet users (such as someone using Chrome, Firefox, etc.) to access Tor hidden services.

reverse_proxy

The proxy listens on port 80 (or sometimes 443) on a clearnet server, and then proxies requests to the Tor hidden service.

If you’re unfamiliar with proxy servers, Indiana University gives a great definition of one: What is a proxy server?  (Psst…I talked about this a little in my earlier post ‘Anonymous’ Proxy List?)

The example they use to illustrate on Tor2web.org is that when you see an onion URL, for example, http://pbfcec3cneb4c422.onion/, if you add “.to,” “.link,” “.cab,” etc. to the end of the URL (e.g. http://pbfcec3cneb4c422.onion.to), and that proxy will connect you to the onion service. Great, right?

Well, no – not great. In spite of its convenience, the problem with using these proxies is that whomever is operating the Tor2web proxy can spy on your web traffic. While this may not sound like a bad thing, if said proxy operator has malicious intent, then you (the user) are basically a sitting duck. Plus, if the point of Tor is being anonymous, and someone can detect your web traffic that defeats the whole purpose!

In fact, even onion.cab themselves – the proxy service, that is – warns users when they first try to access a site this way:

onion

If this doesn’t sound bad, then it should be noted that not only can the operator see your web traffic, but they can also modify it and inject code if they so desire.

Ben Tasker Security Blog has an excellent post about this called Don’t Use Web2Tor/Tor2web (especially Onion.cab) – the example he gives is that some Web2Tor services “have some pretty bad habits, including playing fast and loose with your privacy.”

If you visit  https://6zdgh5a5e6zpchdz.onion, but do so through onion.cab instead of through Tor, the proxy service injects piwik analytics code into the page, which looks something like this:

piwik_tracking

So why should you care? Well, the proxy service who injected the code now knows that your IP address accessed said onion service at a specific time. In addition, they’re also executing code on your browser that the operator of the original site is unaware of.

Within the code, some of the information that it can discover about you is:

  • The title of the page you’re viewing
  • An ID for the site
  • The time that you made the request
  • The exact URL you were looking at
  • The page that sent you to that URL
  • Details of which plugins you have installed
  • Whether cookies are enabled
  • Your screen resolution
  • A unique ID for you

Alternately, this third party operator can inject code into the site that may track you across hidden services – that is, if you’re using the onion.cab proxy.

You can even contract malware via some Tor2web proxies – read this article by Virus Bulletin – Vawtrak uses Tor2web to connect to Tor hidden C&C servers. Granted, this article is over two years old, but it can still give you an idea of what might happen if you rely on these proxies.

Thus, if your concern is privacy, it should be obvious why you don’t want to give this information away. The same goes for any proxy, really, but again, if you’re using Tor for anonymity, then accessing so-called “hidden services” via the clearnet is pointless.

I know that a lot of people who explore the “dark web” for fun just say, “Give me links!” But if you want to explore those links, do so in the right way – use the Tor Browser (from https://www.torproject.org/), and don’t try to do so via the clearnet.

There’s a reason it’s called the “dark web,” after all.

creepy_eyes

Should You Use a VPN with Tor? (Well, No.)

vpn-graphic-100022486-orig

This seems to be a very frequently asked question, and on many sites, people will tell you that you should use a VPN with Tor, for “extra protection.”

Based on my research, however, I disagree – and this seems to be an unpopular opinion. One reference I’d like to cite is a blog post by Matt Traudt, a.k.a. system33-, who is someone I respect with regard to Tor. The post in question is VPN + Tor: Not Necessarily a Net Gain.

One of the points he brings up here is the following:

Tor is trustless, a VPN is trusted. Users don’t have to trust every Tor relay that they use in order to stay safe with Tor. As long as the right ones aren’t compromised, working together, or otherwise malicious, the user stays protected.

This is the main problem with insisting on combining Tor and a VPN. VPNs can keep logs of your activity online (though some claim not to), whereas Tor does not.

However, using a VPN can hide your Tor usage from your ISP, especially if said ISP is suspicious of Tor.

The Tin Hat, on their post Tor And VPN – Using Both for Added Security, also makes the point that “Where this setup fails is at hiding your traffic from a malicious Tor exit node. Because the traffic goes through the VPN, and then to the Tor network, exit nodes can still watch your traffic unencrypted.”

My preference, personally, is to use a Linux distribution with Tor, like Tails or Qubes, or for the more advanced, Arch Linux or Manjaro Linux. These, of course, take time to learn and won’t do everything for you, but they are designed for security. While this doesn’t mean they are vulnerability-free, they can improve your protection, particularly if you understand their ins and outs.

Don’t get me wrong – Unix-like OS’s are not invincible – see Sophos: Don’t believe these four myths about Linux security, but depending on the situation, it’s preferable to using an OS like Windows.

Oddly enough, I haven’t “contracted” any malware via the dark web – at least not to my knowledge. This has happened more often on the clearnet, ironically. Maybe it’s because I don’t download mysterious files or install programs that I find randomly on networks like Tor.

I’m paranoid that way.

What about you, readers? What OS’s do you prefer to use (specifically in combination with Tor, I2P, Freenet, etc.)?

In the meantime, enjoy your dark web adventures, my friends – and please research any VPN or other “privacy” software before trusting it blindly.

16199cffb76fff8c74ad6dd8eac6afab

 

‘Anonymous’ Proxy List?

SPIDERMANLUCK.png

I forget exactly where I found this link – I think it was either Electronic Frontier Foundation or Privacy Tools  – but it’s a list of supposedly anonymous proxy servers, generated by a set of particular search engine terms:

+”:8080″ +”:3128″ +”:80″ filetype:txt

This returns results for lists of proxy servers that use ports 8080, 3128, and 80, which are apparently more anonymous than average proxies.

You’ll get different results if you use different search engines, too:

qwant.com: proxy list

Blackle.com: proxy list

For the curious, here are some of the actual results that you might get as well:

rebro.weebly.com: proxy list

Proxy Spider: short proxy list

kan339: proxy list

lategoodies.tripod.com: proxy list

h3furnitureoutlet: proxy list (yeah, a furniture outlet has a proxy list)

proxy IP list: anonymous

jobabroad.sweb.cz: proxy list

playinator.com: proxy list

Even so, as I mentioned in a few earlier posts, this all depends on whether you trust proxies at all. Which is why I haven’t used any of these, personally.

It’s similar to using a VPN in combination with Tor. Are you really anonymous when doing this? That depends on whether or not you trust your VPN provider! By the same token, it’s very risky to use certain proxies, unless you know what data the proxy server is collecting about you. Never mind the fact that .txt documents can contain malware (just as some PDFs on Tor do). Read Should You Trust Any Proxy? to find out a little more.

Regardless, it’s an interesting experiment to try Googling this, even if you don’t decide to use the proxy services themselves. Most of the sites look like this:

anonymous_proxy

While the idea of “anonymous proxy server” sounds great, in theory, they could be just like malicious Tor exit nodes – intending to steal data or worse.

So yes, these proxies exist. Should you use them? That’s up to you.

Call me paranoid, but personally, I wouldn’t.

 

Alienet: a Different Sort of VPN

alienet

by Ciphas

Good morning, readers! I’m back after quite the hiatus. I confess this is because I’ve been writing for other publications! (That’s good, right?)

I’ve also been (as the title says) exploring quite a few more darknets beyond just Tor, I2P, and Freenet. Maybe this is obvious to some, but those three are only the tip of the proverbial iceberg.

Anyhow, those of you who watch SomeOrdinaryGamers on YouTube (specifically his “Deep Web Browsing” series), might recognize the site above, called Alienet. He covered it in his video AYYLMAO PARALLEL NET!?!.

According to the person (people?) who run Alienet, it’s a VPN-based hidden network, that emphasizes privacy, anonymity, and security.

In their words (misspellings left intact):

Alienet is the only hidden network that will totally hide your ass from the big brother: when you’re connected to Alienet, your machine will result OFFLINE for the entire internet wolrd! Is that safe enough? Enjoy my dears…..

Spelling and grammar errors aside, I do believe that Alienet is a legit network (in spite of Tor’s plethora of scams).

It uses OpenVPN, an open-source SSL VPN. OpenVPN allows remote access, site-to-site VPNs, and a number of other configurations.

In order to join Alienet, you have to install OpenVPN (of course), and then ask for an Alienet Client Key. The admin will ask you for some particular information, including your operating system, encryption keys, and a contact email.

 

OK, sounds pretty simple, right? I haven’t actually connected to the network yet, but I have tried one of their other services, specifically AnonyMail, which is a privacy-themed email service.

anonymail

Of note: AnonyMail works on both the clearnet and on the Tor network, so you can receive emails from darknet email clients like SIGAINT and OnionMail, as well as most clearnet email providers.

I did a test email to one of my darknet friends through AnonyMail, and it worked with no issues, so I’m assuming that it’s perfectly OK.

The other day, I also finally connected to OpenVPN (I was having password issues initially), and it works just fine. So…once I finish the Alienet process, I’ll probably do a “Part 2” about that.

The site also explains that once you connect to Alienet, you can access “.anon sites,” which aren’t official DNS names – they certainly aren’t listed at IANA – Root Zone Database (i.e. the official list of approved domain names). I believe this is how the .onion domain name was originally created.

Some DNS names, after they’ve been submitted for approval, do become official names, but that takes a long time.

Anyhow, I thought this might interest some of you. Take a look at the network, and let me know if you find anything interesting!

2af159e1f9453508ecfad112e4c5b4287371416d3ef4fab3b85bb20238a6b45f_1

 

Dark Web Chat: Liberty or Depravity?

I was trawling the dark web yesterday looking for writing inspiration (yes, I do that), and what did I find?

No, it wasn’t any disturbing images, sick videos, or child pornography – it was a couple of chat rooms. That sounds innocent enough, but what I’ve learned during my research is that if you give people complete anonymity, they’ll feel free to be themselves.

In the context of the dark web, this can mean a lot of things.

chat_room_tor

The not Evil chat on Tor.

In one sense, it’s ideal for whistleblowers, hackers, and others who merely require privacy for what I would consider “legitimate” reasons. In another, it’s also ripe for pedophiles and other depraved individuals who, for obvious reasons, would want to remain anonymous, but are inclined to share sick imagery and the like.

I’m sure I’m not the first to express this, but I want to give my take on it. So, as I say frequently, it isn’t all sick and disturbed individuals that I’ve come across.

One of the first chat rooms I checked out on the Tor network was one linked to the not Evil search engine, and seemed relatively harmless. (It’s the one in the screenshot above.)

Occasionally, it would have a visitor asking for something along the lines of drugs or the aforementioned red rooms, but that was about it. Although one time, I did receive a message from a user who was a complete stranger:

Anonymous: Hi there. Need to hire a hacker or ruin someone’s reputation?
Me: No, just doing research. Thanks!
Anonymous: ok, well if you do then contact me.

All in all, it wasn’t the strangest exchange I’ve ever had on Tor, but it may have shown my naivete. Since then, I’ve gone back to the not Evil chat rooms, and have rarely had a similar conversation (if you can even call it that).

Going a Little Deeper

onionchat

Oh, the jokes I would’ve made in 3rd grade over that.  Anyhow, another chat room which I’ve used a few times goes by the name of OnionChat.  Like the previous one, it seemed relatively harmless, although I suppose you never know who you’ll come across.

In my most recent experience with that place, someone was doxing Donald Trump (surprise, surprise).and his family members.  The person released not only their addresses, but social media accounts, phone numbers, email addresses, registry domains, and IP addresses.  (Not that I’m going to share that information here, as much as I might be tempted to.)

Snowden or Honeypot? (WARNING!!!!)

wikileaks

Via that same chat room, I received a link to another slightly more mysterious chat room that was supposedly connected to WikiLeaks.  In that room, you would be given a randomly generated name before you started chatting (such as “BobRoss09”).  Next to the little chat box was a button labeled “Destroy,” which would supposedly purge any chat messages you had left there forever.

The idea behind it (again, in theory) was that if you wanted to submit leaked documents or information to WikiLeaks, you could do it there secretly.  Unfortunately, I have no idea if it was genuine, a honeypot, or something worse, and because of that, I’m going to go with fake.  I tend not to trust random strangers on the dark web (good philosophy, right?).

It’s possible that the chat room was actually set up by federal law enforcement to catch those who were leaking confidential documents, or set up by someone with malicious intent who wanted to steal important documents.  Either way, I’m going to nope the fuck out of there.

By the way, if you really want to submit information to WikiLeaks, they have an official Tor hidden service at WikiLeaks Upload and Form Submission.  You can also find their public PGP key here: https://wikileaks.org/#submit_wlkey.  For Tor users, here’s the equivalent .onion address: http://wlupld3ptjvsgwqw.onion/wl-submission-key.html (I promise that that one’s not a scam).

A Festering Sewer

The worst chat room I’ve come across so far is another one which I won’t share the link to, because I just know that some of you will click on it.

Essentially, it was the type of place where nothing was out-of-bounds, including child pornography, animal abuse, and/or hurtcore.  People would discuss their beyond-sick fantasies in graphic detail, and would also share images and videos candidly.

In fact, it was one of those places where, in order to be admitted to the chat room in the first place, you had to share some CP images or videos.  That way they would (in theory) know that you weren’t a cop.

I confess that initially, I did try to join the chat room (if only for research purposes, I swear!), but once I knew that you had to upload this disgusting material in order to join, I hastily made my exit. What I can do is try to simulate the conversations for my readers (without getting too graphic).

Girllover: anyone got pics of young girls
sickfuck: i do hold on
sickfuck: here [689389.jpg]
Girllover: oh wow, that’s hot thanks
necrophile44: anyone have pics of young dead girls?
sickfuck: oh necro, you drive a hard bargain [09890.jpg]

Well, you get the idea.  The real thing is much worse than what I’ve written here.  I suppose, in theory, just chatting about these concepts isn’t illegal, but the type of people who have these fantasies I would expect to have much worse on their computers.

And I’m sure that this is far from the only chat room of its type on the dark web.  It merely shocked me because I hadn’t often taken the opportunity to actually enter one of the chat rooms before.

Am I being corrupted by my dark web research?  I don’t think so, but it can take a toll on you sometimes.

As Nietzsche once said, “He who fights with monsters should look to it that he himself does not become a monster. And if you gaze long into an abyss, the abyss also gazes into you.”

Is That All There Is? (No, Actually.)

ictsecure

 

I still say that, in spite of the sometimes-horrifying things that you can find on Tor, Freenet, and other networks, they’re still necessary.  In an increasingly surveillance-ridden world, there is a need for privacy.

If that means that sometimes crazy and disturbed individuals will form communities, so be it.  I think that eventually, they will be found out, one way or another.  I still consider myself an advocate of privacy and security.

I’ve just had my eyes opened to the dark corners; that’s all.

 

Privacy Tools Part 2: uBlock Origin, RedMorph Browser Controller

Believe it or not, what prompted this post was a comment on one of my older posts,  If We Built This Large Wooden Privacy Badger.  The commenter said that “…there are several other new extensions that are better than Privacy Badger. With tracker domains constantly changing and also first party websites directly loading tracker technology, Privacy Badger heuristic approach will not work.”

I have to admit that I considered this as well; how does Privacy Badger “know” which domains are safe and which aren’t?

According to the Electronic Frontier Foundation, who developed it:

…Privacy Badger keeps note of the ‘third party’ domains that embed images, scripts, and advertising in the pages you visit.  If a third party server appears to be tracking you without permission, by using uniquely identifying cookies…to collect a record of the pages you visit across multiple sites, Privacy Badger will automatically disallow content from that third party tracker.  In some cases a third-party domain provides some important aspect of a page’s functionality…[i]n those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies and referrers. [Full description available at site]

While this is all true, an algorithm can only be so smart.  I suppose you could ask that of any ad-blocking software, but there must be better options out there.

Therefore,  I realized it was time to begin exploring again.  The more I delve into this topic, the more I become aware of how many privacy tools are in existence (almost too many to count).  This does not, of course, mean that they are all effective, or even useful.

Just Because You’re Paranoid…

0a436901334bd215783ceb04563adcb4442645ab2d1435e35a9b66abc3b776a1

Previously, in Privacy Tools: Ghostery vs. Adblock Plus, I compared these two apps and their various pros and cons.  Also, in said post, I examined the app Privacy Badger, which performs similar functions (though you can use all three together).

So, when I started hunting for alternatives, I visited the site AlternativeTo.net: Privacy Badger Alternatives.  Some of the software listed provide quite different functions than the aforementioned apps.

uBlock Origin definitely has a small and easy to use interface (do you like my poorly edited screenshot?):

ublock_origin

uBlock Origin blocks ads using filter lists such as EasyList, EasyPrivacy, Peter Lowe’s Ad Server List, and Malware Domain List. You can add additional domains to the list under the “My Filters” list in Settings.

As with all ad blockers, using uBlock Origin will occasionally interfere with the functionality of a site, and will also piss off certain site owners, who may “respond” with messages like this:

Adblock_Message_1b

And yes, I get that; I know that ads are how most sites make money.  I’m willing to turn off ad blockers on sites that I trust.  But there are others that just constantly bombard you with pop-ups (and I’m not just talking about porno sites here), to the point where you can barely use the site itself. Those are the sites that apps like uBlock Origin and Adblock Plus were designed for!

Of note – uBlock Origin also features an “element picker” mode (click on the little eyedropper icon), in which you can view the code of specific elements on a page, such as buttons or intrusive ads.  If that particular element is something you want to block, hit the “Pick” button.  This would likely be considered one of the “advanced” features, but it’s quite useful once you get the hang of it.

What I’ve also noticed is that UO appears to block more ads than some of its competitors (like, uhh…Adblock Plus.).  It also has an “advanced” mode, which you can toggle by checking the box below:

ublock_advanced

The “advanced user” settings pertain to things like behind-the-scene network requests that the average user would likely be unfamiliar with.  With the advanced settings enabled, you can custom block requests from specific hostnames (e.g. “wordpress.com”) or specific object types (e.g. 1st-party scripts).  If this sort of thing is something that you understand, and would likely benefit from, then I would suggest checking it off.  If not, don’t!

5205405

RedMorph Browser Controller 

Is it just me, or does the name “RedMorph” sound like a supervillain?  Well, thankfully it’s not, although the websites that rely on ads might disagree.

RedMorph Browser Controller, unlike some of its contemporaries (uBlock Origin, AdBlock, etc.) combines several different security aspects: privacy tool, ad-blocker, parental control device, and encrypted proxy all into one app.

For example, under its “Block Trackers and Content” feature, you have the option to block cookies, trackers, images, third party trackers, and social trackers.  (You can, of course, customize the level of security which you want to use.)

You also have the option of using “Website and Word Filters,” which are generally intended for parents and schools to use for their children (although I suppose you could censor the web for yourself, too):

redmorph_wordfilter

I confess I’m rather new with this app, but it seems to work very well so far.  RedMorph also includes a feature called SpyderWeb, which can give you a comprehensive overview of what domains (and third parties) are tracking you, and how.  It’s a little intimidating when you look at the graph:

spyderweb.png

Now do you see why I’m paranoid?  (I joke.)  RedMorph does give you a fair amount of options as to which trackers and domain names you can block, which is comforting.  It also offers a proxy feature called “Make Me Invisible,” through which you can select proxies in various locations.  On the downside, you have to be a paid member to use this feature.

All in all, I do like RedMorph as well; in fact, you might say it’s better than some of the other apps.  Instead of installing a separate proxy, ad-blocker, and content filter, you can just have all them together.

I have yet to try the full version of the program, but I trust that it does its job efficiently.  Heck, even Bane approves!

67795693

Of course, there are tons of other privacy tools out there, and I have yet to try them all.  But at least I can cross two off of my list.

Let the adventures continue!!

 

 

Privacy Tools: Ghostery vs. Adblock Plus

they__re_watching_you__by_dharmainitiative2010-d34asq6.png

How many times have you heard this line?  “They’re watching you…” (A lot, I would imagine.)

Unfortunately, I’ve begun to realize that it’s true (at least with regard to the web).  Even when using the Tor network, which was created with privacy in mind, you’re still under surveillance, which is why some people have stopped using it altogether. (Although that hasn’t stopped me, the intrepid writer.)

Nonetheless, when you’re on the clearnet, there are some tools and plugins that can enhance your privacy (if not ensure it 100% of the time).

In a previous post, If We Built This Large Wooden Privacy Badger…, I discussed the plugin Privacy Badger, created by the Electronic Frontier Foundation (EFF).  For the most part, I’ve had a very positive experience with said Badger – he’s not a friend of trackers, trust me:

4935347

So, I thought it reasonable to compare some of the other popular privacy tools with Privacy Badger, to see which worked the best.

Do You Believe in Ghostery?

ghostery-logo-dark2

*ba-domp ching!*  For those who haven’t heard of Ghostery, it’s a web privacy-themed company; they’re the developers of the Ghostery browser extension.  The extension monitors the various web servers that are being called upon from any given webpage, and makes them correspond with a list of data collection tools (a.k.a. trackers).

And yes, I realize it’s already been reviewed on Lifehacker and other sites, but I still wanted to take a stab at it, and not just take everyone else’s word for it.

With Ghostery enabled, each time you visit a webpage, it searches for all the trackers connected to that site, and compiles them into a neat list, which it will display each time you access a new site:

ghostery blocklist

If you then look at the icon displayed on your menu bar, a little number should be showing next to it, indicating how many trackers have been found on that specific site.  Click that icon, and a dropdown menu (called the “Findings Panel”) will list the specific names of the trackers.  From that menu, you can choose to block or allow any specific tracker:

ghostery_trackers

Granted, as with Privacy Badger and some of the other privacy apps, if you disable all the trackers on certain sites, the sites won’t work properly.  This, of course, is why you have the option of enabling or disabling each tracker individually.

If you only want to temporarily pause blocking so that you can use all of a site’s functions, then that’s what the “Pause Blocking” button is for.  On the other hand, if you trust a site completely, you can click “Whitelist Site.”

Like this blog, right?  You trust me, don’t you??

frabz-Trust-me-Im-the-Doctor-8b7624

All in all, I’ve found Ghostery to be quite useful, but I choose to opt out of their GhostrankTM feature, which “collects anonymous data about the trackers you’ve encountered and the sites on which they were placed.” In theory, this feature is used to help businesses market themselves more transparently (and in a less intrusive way), but it’s also a way for Ghostery to make money – hey, did you think they were doing this for free?

Finally, under its options, Ghostery will show you a list of trackers that it’s blocked, in different categories (e.g. Advertising, Analytics, etc.).  You can choose to enable or disable any of these functions in order to optimize your web experience.

ghostery_whitelist

Cockblock Plus…I mean…Adblock Plus

cbp

Excuse me, little Freudian slip there!! This is what I meant:

Adblock-plus-logo

Adblock Plus is, in a sense, very similar to Ghostery. Sometimes, however, they block different trackers (or different types of trackers).

Actually, one immediate difference that I noticed between ABP and Ghostery was that Ghostery tells you which specific domains it’s blocking, whereas ABP doesn’t.  It merely tells you how many ads its blocked on that page, as well as how many in total.

As a matter of fact, this initially appears to be a disadvantage, because it’s kind of an “all-or-nothing” approach.  However, ABP has a different method for blocking specific elements on a page.

If you right-click on certain page elements, a menu like this should appear (this one’s for Chrome) :

dropdown menu

Click the option that says “Block element.”  Another window should appear, listing the specific page element – you can then add that to your “blacklist” of blocked elements.

blockelement

All in all, Adblock Plus works similarly to Ghostery, but after playing around with it a little, it seems slightly more geared toward the techies among us (me included)!  So really, which one you use (if any) is just a matter of personal preference.

That being said, these are far from the only privacy tools available – perhaps I shall save the rest for a future post.

In the meantime, I’m going to go back to hiding in my paranoia shelter.

paranoid-parrot-meme-8