Can You Access .Onion Sites Without Tor Browser?

by Ciphas

(Note: Thanks to Ben Tasker’s Security Blog and traudt.xyz for being references.)

Can you access .onion sites without the Tor Browser? Short answer? Yes, you can – but I don’t recommend it…I cannot stress this enough.

I’ve mentioned Tor2web proxies in a few previous posts, but didn’t elaborate on it much. onionto

In their own words, “Tor2web is a project to let Internet users access Tor Onion Services without using Tor Browser.” Tor2web and Web2Tor are reverse proxies which allow clearnet users (such as someone using Chrome, Firefox, etc.) to access Tor hidden services.

reverse_proxy

The proxy listens on port 80 (or sometimes 443) on a clearnet server, and then proxies requests to the Tor hidden service.

If you’re unfamiliar with proxy servers, Indiana University gives a great definition of one: What is a proxy server?  (Psst…I talked about this a little in my earlier post ‘Anonymous’ Proxy List?)

The example they use to illustrate on Tor2web.org is that when you see an onion URL, for example, http://pbfcec3cneb4c422.onion/, if you add “.to,” “.link,” “.cab,” etc. to the end of the URL (e.g. http://pbfcec3cneb4c422.onion.to), and that proxy will connect you to the onion service. Great, right?

Well, no – not great. In spite of its convenience, the problem with using these proxies is that whomever is operating the Tor2web proxy can spy on your web traffic. While this may not sound like a bad thing, if said proxy operator has malicious intent, then you (the user) are basically a sitting duck. Plus, if the point of Tor is being anonymous, and someone can detect your web traffic that defeats the whole purpose!

In fact, even onion.cab themselves – the proxy service, that is – warns users when they first try to access a site this way:

onion

If this doesn’t sound bad, then it should be noted that not only can the operator see your web traffic, but they can also modify it and inject code if they so desire.

Ben Tasker Security Blog has an excellent post about this called Don’t Use Web2Tor/Tor2web (especially Onion.cab) – the example he gives is that some Web2Tor services “have some pretty bad habits, including playing fast and loose with your privacy.”

If you visit  https://6zdgh5a5e6zpchdz.onion, but do so through onion.cab instead of through Tor, the proxy service injects piwik analytics code into the page, which looks something like this:

piwik_tracking

So why should you care? Well, the proxy service who injected the code now knows that your IP address accessed said onion service at a specific time. In addition, they’re also executing code on your browser that the operator of the original site is unaware of.

Within the code, some of the information that it can discover about you is:

  • The title of the page you’re viewing
  • An ID for the site
  • The time that you made the request
  • The exact URL you were looking at
  • The page that sent you to that URL
  • Details of which plugins you have installed
  • Whether cookies are enabled
  • Your screen resolution
  • A unique ID for you

Alternately, this third party operator can inject code into the site that may track you across hidden services – that is, if you’re using the onion.cab proxy.

You can even contract malware via some Tor2web proxies – read this article by Virus Bulletin – Vawtrak uses Tor2web to connect to Tor hidden C&C servers. Granted, this article is over two years old, but it can still give you an idea of what might happen if you rely on these proxies.

Thus, if your concern is privacy, it should be obvious why you don’t want to give this information away. The same goes for any proxy, really, but again, if you’re using Tor for anonymity, then accessing so-called “hidden services” via the clearnet is pointless.

I know that a lot of people who explore the “dark web” for fun just say, “Give me links!” But if you want to explore those links, do so in the right way – use the Tor Browser (from https://www.torproject.org/), and don’t try to do so via the clearnet.

There’s a reason it’s called the “dark web,” after all.

creepy_eyes

Advertisements

Cicada 3301 Puzzle in 2016 (No, I Haven’t Solved It!)

 

Cicada 4

I have long been an enthusiast of puzzles, particularly those of the verbal type. Nevertheless, I can safely say that I’ve yet to encounter something as difficult and complex as Cicada 3301 (and I’m sure many would agree). Trust me, if I had figured out all the answers already, I’d probably be a part of the organization, and might be helping come up with the puzzles.

I’m also a bit “late” to this game, considering that it originally started on January 4, 2012. but would like to contribute however possible. What I have learned thus far in my reading and study is that the Cicada puzzles require knowledge of cryptography, history, language, steganography, and coding (hooray!).

The previous clues have appeared across the world in both physical and digital media, music, Linux CDs, and other media. And the past puzzles have referenced many historical, literary, artistic, and philosophical areas: Agrippa: A Book of the Dead, by William Gibson, Francisco Goya, M.C. Escher, Self-Reliance by Ralph Waldo Emerson, Carl Jung, Kabbalah, and Friedrich Nietzsche, just to name a few.

But that’s nothing new; you could’ve known all that from the Wikipedia article (Cicada 3301 – Wikipedia)!

From what I gather, there are many clues in the CICADA 3301 Liber Primus Sacred Book, which is more or less the “holy book” of Cicada 3301, so to speak.  The book was originally written in runes, though a Latin translation also exists.

In the process, I’ve begun following the official Cicada Twitter account (@1231507051321).  “They” have recently been tweeting cryptic messages in the form of 5-digit strings of numbers.  Under their bio section, it reads this:

 

I presume this is some kind of cipher, but I haven’t yet solved it (and I’m certain some people out there already have).  Honestly, this gives me the urge to learn more about cryptography, ciphers, and other fields of which I have limited knowledge, so that I can get closer to the truth.

The thing is, I’m already in the process of learning coding, gaining knowledge of the dark web, and writing as much as possible, so to add this onto my plate as well would be like taking on an interdisciplinary major!

TVWoU7G

Cult Status?!?!

I’m already fully aware that there have been cult/terrorist allegations against Cicada 3301, in particular by Dr. Tim Dailey of the Family Research Council, and I think it’s utter bullshit (in spite of the fact that they talk about a “holy book” and such).  If anything, that’s more figurative.

Anytime something of this nature comes out, there’s always someone who’s going to call it a cult, terrorist group, or devil worship, etc.  To them, I say:

tumblr_m6yqwcygAP1r3k1m8o1_500.png

My interest is primarily in solving the puzzles, because I just love a good mystery, and it’s very satisfying when you come up with the conclusion.

This looks like one of those posts that deserves a sequel or two…or three…or a whole season.