Red Room Follow Up, Part II

Previously, on Secrets of the Dark…

We examined the claim that there are, in fact, red rooms on the dark web. Several readers had said that they had either witnessed a red room, or knew someone who had been victimized by one. Well, this is the only red room I’ve seen:

giphy (66).gif

Twin Peaks fans, anyone? But I digress. So, in the last post, I suggested that you could create a red room, if you wanted to – but how?

Assuming that Tor is too slow to stream video, you may be able to use something like a private network for this purpose, or a VPN. A private network is defined under RFC 1918: Address Allocation for Private Internets, if you want the technical details. However, even some VPNs have difficulty streaming video. If you’re curious about this, for further reading: 5 Best VPNs for Streaming 4K Video Online. I would think that a commercial VPN wouldn’t be cool with you streaming live murders over their connection either, however.

ಠ_ಠ

Once you had your network complete, you would still have to advertise your site in some way, and also attract victims (this, in my opinion, would be the most difficult part). Maybe some people assume that it’s like the Taken movies? I don’t know.

OK, so you have your VPN, your potential victims, and then you would have to set up your site somewhere, which would result in hosting costs (and thus, a potential paper trail). Plus, on top of that, if customers are paying in bitcoin, that means that the transactions would appear on the blockchain, which is public:

bitcoin-blockchain-2

I suppose that, in theory, like on the darknet markets, you could use a bitcoin mixer, but then the operators of the mixer would have blood on their hands, so to speak. They might not want to get involved with such a thing. So, to add to the complications, you would have to create your own mixer, or find one that didn’t care about what you were using the bitcoin for (including murder).

Ready to run your red room now? Remember, it still has to get attention, but not the wrong kind of attention!

Contrary to popular belief, Tor (and some other darknets) are monitored by law enforcement, as are potential bitcoin transactions tied to illegal activity. Just look at the AlphaBay/Hansa Market shutdown, or any of several other LE operations that target the dark web.

There are some sites that advertise themselves as red rooms, but these look suspicious at best:

http://redrooaujxcjyohj.onion

http://redroofvxabs3a3o.onion

http://redroocid5rlxm43.onion

Do they look real to you? Well, why don’t you pay the cost and let me know what happens? Don’t die, OK?

All in all, that’s my take on it – did I forget anything? Again, I know the dark web has some terrible stuff on it, but taking all these factors into consideration – would it really be worth it to run something like this as a business?

I leave it to you to answer that question.

red-room_behind-the-scenes_image-3

 

Advertisements

Should You Use a VPN with Tor? (Well, No.)

vpn-graphic-100022486-orig

This seems to be a very frequently asked question, and on many sites, people will tell you that you should use a VPN with Tor, for “extra protection.”

Based on my research, however, I disagree – and this seems to be an unpopular opinion. One reference I’d like to cite is a blog post by Matt Traudt, a.k.a. system33-, who is someone I respect with regard to Tor. The post in question is VPN + Tor: Not Necessarily a Net Gain.

One of the points he brings up here is the following:

Tor is trustless, a VPN is trusted. Users don’t have to trust every Tor relay that they use in order to stay safe with Tor. As long as the right ones aren’t compromised, working together, or otherwise malicious, the user stays protected.

This is the main problem with insisting on combining Tor and a VPN. VPNs can keep logs of your activity online (though some claim not to), whereas Tor does not.

However, using a VPN can hide your Tor usage from your ISP, especially if said ISP is suspicious of Tor.

The Tin Hat, on their post Tor And VPN – Using Both for Added Security, also makes the point that “Where this setup fails is at hiding your traffic from a malicious Tor exit node. Because the traffic goes through the VPN, and then to the Tor network, exit nodes can still watch your traffic unencrypted.”

My preference, personally, is to use a Linux distribution with Tor, like Tails or Qubes, or for the more advanced, Arch Linux or Manjaro Linux. These, of course, take time to learn and won’t do everything for you, but they are designed for security. While this doesn’t mean they are vulnerability-free, they can improve your protection, particularly if you understand their ins and outs.

Don’t get me wrong – Unix-like OS’s are not invincible – see Sophos: Don’t believe these four myths about Linux security, but depending on the situation, it’s preferable to using an OS like Windows.

Oddly enough, I haven’t “contracted” any malware via the dark web – at least not to my knowledge. This has happened more often on the clearnet, ironically. Maybe it’s because I don’t download mysterious files or install programs that I find randomly on networks like Tor.

I’m paranoid that way.

What about you, readers? What OS’s do you prefer to use (specifically in combination with Tor, I2P, Freenet, etc.)?

In the meantime, enjoy your dark web adventures, my friends – and please research any VPN or other “privacy” software before trusting it blindly.

16199cffb76fff8c74ad6dd8eac6afab

 

Closed Shell Systems? Nope!

I’m writing this in response to a comment I received on my previous post. It reads:

I have DN42 connected. When I ‘dig @172.23.0.53 chaos’ this returns SERVFAIL or REFUSED. Same with ChaosVPN and Anonet DNS.
What is .chaos TLD? Closed Shell System?

To my knowledge, there is no such thing as the top-level domain “.chaos.” That being said, I’m not surprised if someone is spreading this kind of misinformation around, because the same thing has happened in the past, with software that supposedly allows you to access “.lll or .rdos sites,” or “.clos sites.”

There is no such thing as a “closed shell system.” Whoever created that original “iceberg” misinfographic (the one located here: https://imgur.com/pj0jbtP) helped perpetuate the myth, by claiming that a “closed shell system” was required to reach deeper levels of the deep web. I know I’ll never convince everyone of this fact, so there will always be some people out there believing it.

chaosvpn_wiki

On the other hand, if you create a hidden network of your own (like a VPN-based one), it’s possible that you can make up your own domain names for it, though they won’t be considered official ones by the Internet Assigned Names Authority (IANA). dn42, for example, has sites built on top of it with the domain name “.dn42.” ChaosVPN has sites built on it with the domain name “.hack,” and so on and so forth.

I mentioned this on an earlier post, but if you go to ICANN.org, they have a list of all the approved TLDs that exist right now: List of Top-Level Domains. There are also Pseudo-top-level domains, which are names for computer networks that don’t participate in the official DNS, and may or may not be part of the internet. This would include VPNs like dn42.

links

Connecting to dn42 is fairly simple, as you can reach it via tunnels from other networks, like OpenVPN, Tinc, or Edge. Full sets of instructions can be found here: dn42 how-to. That being said, if something doesn’t exist, you certainly can’t connect to it!

I think that the “closed shell system” concept might be a reference to Ghost in the Shell, or something along those lines, which, although interesting, is pure science fiction. Any network that exists has some way of accessing it, given the right hardware or software, and/or permissions.

Beyond that, just because it’s a hidden network doesn’t mean it has any special, secretive information on it. Hate to disappoint you!

Still, it could be interesting – just stay in the realm of reality, OK?

P.S. These are some of the existing networks/software that I know of, if you’re interesting in checking them out further:

Tor

I2P

Freenet

dn42

GNUnet

CICN

OneSwarm

Retroshare

ZeroNet

Tribler

Netsukuku

Freifunk

FunkFeuer

10866

Alienet: a Different Sort of VPN

alienet

by Ciphas

Good morning, readers! I’m back after quite the hiatus. I confess this is because I’ve been writing for other publications! (That’s good, right?)

I’ve also been (as the title says) exploring quite a few more darknets beyond just Tor, I2P, and Freenet. Maybe this is obvious to some, but those three are only the tip of the proverbial iceberg.

Anyhow, those of you who watch SomeOrdinaryGamers on YouTube (specifically his “Deep Web Browsing” series), might recognize the site above, called Alienet. He covered it in his video AYYLMAO PARALLEL NET!?!.

According to the person (people?) who run Alienet, it’s a VPN-based hidden network, that emphasizes privacy, anonymity, and security.

In their words (misspellings left intact):

Alienet is the only hidden network that will totally hide your ass from the big brother: when you’re connected to Alienet, your machine will result OFFLINE for the entire internet wolrd! Is that safe enough? Enjoy my dears…..

Spelling and grammar errors aside, I do believe that Alienet is a legit network (in spite of Tor’s plethora of scams).

It uses OpenVPN, an open-source SSL VPN. OpenVPN allows remote access, site-to-site VPNs, and a number of other configurations.

In order to join Alienet, you have to install OpenVPN (of course), and then ask for an Alienet Client Key. The admin will ask you for some particular information, including your operating system, encryption keys, and a contact email.

 

OK, sounds pretty simple, right? I haven’t actually connected to the network yet, but I have tried one of their other services, specifically AnonyMail, which is a privacy-themed email service.

anonymail

Of note: AnonyMail works on both the clearnet and on the Tor network, so you can receive emails from darknet email clients like SIGAINT and OnionMail, as well as most clearnet email providers.

I did a test email to one of my darknet friends through AnonyMail, and it worked with no issues, so I’m assuming that it’s perfectly OK.

The other day, I also finally connected to OpenVPN (I was having password issues initially), and it works just fine. So…once I finish the Alienet process, I’ll probably do a “Part 2” about that.

The site also explains that once you connect to Alienet, you can access “.anon sites,” which aren’t official DNS names – they certainly aren’t listed at IANA – Root Zone Database (i.e. the official list of approved domain names). I believe this is how the .onion domain name was originally created.

Some DNS names, after they’ve been submitted for approval, do become official names, but that takes a long time.

Anyhow, I thought this might interest some of you. Take a look at the network, and let me know if you find anything interesting!

2af159e1f9453508ecfad112e4c5b4287371416d3ef4fab3b85bb20238a6b45f_1

 

ChaosVPN Part 2: Hack to School!

 

Fonerawebuicssfix (1)

When I first started working on this ChaosVPN project, I never imagined what fun it could be.  It has required a bit of extra effort and learning, but I like that sort of thing!

However, I want to stress that ChaosVPN isn’t a replacement for Tor or other anonymity tools; in fact, the creators mention this on the wiki.  And it won’t help you access .lll or .rdos sites either…heh heh heh.

So – where I initially got stuck was at the point of getting tinc to run properly on my system.  As it turns out, I hadn’t completed all the steps to installing it (go figure)!  That’s why they say: “If all else fails, try reading the instructions.”

Depending on which operating system you’re using, of course, those instructions may vary.  If you’re using a Mac OS/X, then these are the appropriate instructions: installing tinc on Mac OS/X.

If you’re using Windows, then try here: installing tinc on Windows 2000/XP/7/8.  Hmm…it doesn’t include Windows 10, but does that mean it won’t work?  Not necessarily, but I know how logical Windows can be sometimes.

windows-logic-meme

What about Ubuntu?

In my earlier post ChaosVPN: Making Friends with Hackers!, I had mentioned using Ubuntu to set it up.  This still seemed like the ideal option for me.  It reminded me very much of the MS-DOS days from my childhood.

Abort_Retry_Fail

 

So I started going through the steps again, trying to be a little more patient this time!  I finally got it working, but haven’t used it much yet.  My overall impression is that ChaosVPN definitely has the potential for – to use the technical term – awesomeness.

Given that I’ve been making friends with a lot of hackers and coders lately, this seemed like one of the logical steps to take.  I still don’t consider myself a hacker just yet, but I’m working on that.

If you haven’t read the previous post, here’s the ChaosVPN:UbuntuHowto.  Oh, wait – you don’t have Ubuntu?  Do that here: Get Ubuntu | Download.

(The instructions below are quoted from the wiki; credit goes to the authors.  If anyone objects to this, I can take it down.)

And now, courtesy of the CCCHHWiki – UbuntuHowto :

ubuntu-how-to-chaosvpn.png

First you need to install the necessary helper programs using the apt-get command.  

Install Necessary Helper Programs

needed to use the chaosvpn client:

#apt-get install tinc iproute

needed to compile the chaosvpn-client if not using a precreated debian package
for it

#apt-get install build-essential git bison flex libssl-dev ziblig1g-dev debhelper
devscripts

Install tinc

You need either the package from Debian squeeze/unstable, or a backport like from Debian Backports.

This should be at least tinc version 1.0.13, but should work with 1.0.10 or later.

Or visit http://tinc-vpn.org, download and build yourself – at a minimum ./configure, specify the parameter –sysconfdir=/etc, and check the binary in the script.
If the tinc installation gives the following error:

./MAKEDEV: don’t know how to make device “tun”

Then create the device by hand:

# mkdir -p /dev/net
# mknod /dev/net/tun c 10 200
# chown root:root /dev/net/tun
# chmod 600 /dev/net/tun

Install Our ChaosVPN program

The easiest way: using LaunchPad PPA

There are amd64 and i386 binary packages available for LTS release 12.04 (precise).  There is also a source package.

Add the following lines to your etc/apt/sources list:

For Ubuntu Precise:

chaosvpn_indexof

deb http://ppa.launchpad.net/matt-nycresistor/chaosvpn/ubuntu precise main

deb-src http://ppa.launchpad.net/matt-nycresistor/chaosvpn/ubuntu precise main

Make the Repository-Key known:

apt-get update
sudo add-apt-repository ppa:matt-nycresistor/chaosvpn

Answer “y” to the warnings about whatever content.

Run apt-get update a second time:

apt-get update

Finally install the ChaosVPN software:

apt-get install chaosvpn

Install done, proceed to next step some pages below.

Alternative: compile yourself from our git repository

Always needed to compile:

# git clone
# cd chaosvpn

way 1: create a snapshot debian package

# dch -i
increment the version and set ubuntu specific info.
# make deb
perhaps it throws an error about missing build dependencies, install these and retry.
#sudo dpkg -i ../chaosvpn_2.0*.deb
Install the generated package file, replace filename above with the real name. It is also possible to copy the generated .deb package to a different machine of the same architecture and install it there – no need to have a full compile environment on your router/firewall.

way 2: create debian package and install this

# dch -i
increment the version and set ubuntu specific info.
# debuild -us -uc
should give you packages in parent dir
#sudo dpkg -i ../chaosvpn_2.0*.deb
install the generated package file, replace filename above with real name.

way 3: just compile and install the raw binary

# make
# sudo make install

Create config directory

# mkdir -p /etc/tinc/chaos

Get your new node added to the central configuration

Devise a network-nick and a unique IP range you will be using

This network-nick…sometimes called nodename is the name of the network endpoint/gateway where the vpn software will be running – not necessarily the name of the user, there may even be more than one gateway per user.

Used below where <nodename> is.

Please use only characters a-z, 0-9 and _ in it.

Second please select an unused IPv4 range out of IP range, and write yourself down in that wiki page to mark your future range as in-use.
Please select from the correct ranges, 172.31.*.* for Europe, and 10.100.*.* for North America and elsewhere.

Repeat: Please do not forget to add yourself to this list at IP Range to mark your range as used.

Used below where <ipv4 subnet in the vpn> is.

The usage of IPv6 networks is also possible, but we do not have a central range for this (yet); you may specify an IPv6 range you received from your (tunnel) provider to be reachable over the VPN, or a private IPv6 ULA (Unique Local Address) network described in RFC4193.  For more info about ULA and a network-range generator please also see IPv6 ULA (Unique Local Address) RFC4193 registration .

Used below where <ipv4 subnet in the vpn> is.

Hostname

The gateway may have a DynDNS (or similar) hostname pointing to a dynamic IP, or a static hostname/fixed IP.

Better supply a hostname than a raw IP address even if it is static, so you can change it yourself and do not need to contact us when needed. (Perhaps something like chaosvpn.yourdomain.example).

Used below where <clienthost> is.

Generate keys

# tinc net-chaos init <nodename>

Replace <nodename> with the name your new node should get.

**FIXME** need some way that “tinc init” puts the public key into the separate files and not only into the generated hosts file, which our chaosvpn daemon overwrites.

generate public/private RSA and ECSDSA keypairs with

# tinc –net=chaos generate-keys 2048

press Enter 4 times and backup the files /etc/tinc/chaos/ecdsa_key.priv, ecdsa_key.pub, rsa_key.priv and rsa_key.pub on an external device.

Generate keys with tinc 1.0.xx

create chaos config folder with

# mkdir /etc/tinc/chaos

generate public/private keypairs with

# tincd –net=chaos –generate-keys=2048

press Enter 2 times and backup the files /etc/tinc/chaos/rsa_key.priv and rsa_key.pub on an external device.

Mail us your Infos [sic]

  • send via email to chaosvpn_join@hamburg.ccc.de

We need the following info – but please be so kind and also add a short description of you/your space and your motivation to join chaosvpn – or at least make us laugh. 🙂

(Please remove all lines starting with # from the email; they are just descriptions)

[<nodename>]

gatewayhost=<clienthost>

# This should be the external hostname or ip address of the client host, not a VPN address.
# If the client is not reachable over the internet leave it out and set hidden=1 below.
# If possible supply a hostname (even dyndns) and not an ip address for easier changing
# from your side without touching the central config.

network=<ipv4 subnet in the vpn>
network6=<ipv6 subnet in the vpn>

# (mandatory, must include)
# this may be more than one, IPv4 or IPv6, network6 with IPv6 is optional
#
# These subnets must be unique in our vpn,
# simply renumber your home network (or use something like NETMAP) with a network block that is still free.
#
# Please use the list of assigned networks on ChaosVPN:IPRanges, and add yourself there.

Owner=

#(mandatory, must include)

# Admin of the VPN gateway, with email address – a way to contact the responsible
# person in case of problems with your network link.

port=4712
# (optional)
# if not specified tinc works on tcp+udp port 655
# it is better if everyone chooses a random port for this.
# either this specified port or port 655 should accept TCP and UDP traffic from internet.

hidden=0
# (optional)
# “I cannot accept inbound tunnel connections, I can only connect out.”
# (e.g. behind an NAT)
silent=0
# (optional)
# “I cannot connect out, but you can connect to me.”
# Only ONE of hidden=1 or silent=1 is possible.

Ed25519PublicKey=<something>
# (optional)
# tinc 1.1.pre11+ only, contents of your /etc/tinc/chaos/ed25519_key.pub

—–BEGIN RSA PUBLIC KEY—–
…..
—–END RSA PUBLIC KEY—–
# (mandatory)
# rsa-public-key – contents of your /etc/tinc/chaos/rsa_key.pub

Awaiting response, give us some days, your request is processed manually

Retry until $success

Customize configfile

FIXME to be expanded

/etc/tinc/chaosvpn.conf

In the top part are the variables.

change

$my_peerid to the network nick from step 4
$my_vpn_ip to an ip address in your network range, like 172.31.x.1

Enable Starting of ChaosVPN

If you installed ChaosVPN through our Debian package it is not started by default.

To enable this edit the file /etc/default/chaosvpn and change the RUN= line to RUN=”yes”

After all changes (re-)start the chaosvpn client:

# /etc/init.d/chaosvpn start

If you made everything correct there should now be a tinc daemon running, and the output of ‘route-n’ should show lots of routes pointing to the new ‘chaos_vpn’ network interface.

script in /etc/ppp/ip-up to autostart, or to restart from time to time via cron

If you built a debian package and installed it the cron and ip-up parts are already setup, if you installed it manually with make install you have to do it yourself.

and with luck, it will function beautifully! 😉

Retrieved from https://wiki.hamburg.ccc.de/ChaosVPN:UbuntuHowto


 

As I get more familiar with ChaosVPN, hopefully it’s something I can write about more.  Just to stress: it isn’t really the “deep web” or the “dark web.”  I just felt like writing about it because it sounded cool.

As a matter of fact, the more I learn, the more I realize that these terms like deep web and dark web are just abstract concepts.

But they sure do sound spooky, don’t they?

 

essential-skills-becoming-master-hacker.1280x600

I haz hood. I iz a hacker.

ChaosVPN: Making Friends with Hackers!

Bildschirmfoto_2013-12-04_um_09.54.42

Alright, I admit it!  I’d been debating what to write my next post about, because everything that I had in mind required a lot of reading, research, and experimentation.

Fortunately, I came across something called ChaosVPN not too long ago.  I had heard about it via a deep web/dark web-themed Google+ group, in which I’ve made friends with many coders and fellow dark web explorers.  The name conjured up all sorts of silly tech-related movie tropes in my mind.

So what is it?

It’s a VPN designed to connect hackers and hackerspaces.  Keep in mind that this doesn’t necessarily constitute malicious (or “black hat”) hacking.  ChaosVPN has a wiki maintained by the Chaos Computer Club in Hamburg, Germany.

The idea sounded cool enough, but what really inspired me to look into it further was this image on the main page:

chaosVPN

If that’s hard to read, the quote I’m thinking of is the one in red that says

“ChaosVPN is a VPN to connect Hackers and Hackerspaces – it does NOT provide anonymous internet access!  For this look at tor or other similar services.

It will also not help you to reach domains like .rdos, .lll, .clos or any other strange things supposed to be available on the ‘dark web.'”

Does that sound familiar?  No?  Let me refresh your memory:

shadowweb

*Sigh* Yes, it’s our old friend “The Shadow Web” again.  The text is cut off in the screenshot, but the original page claimed that if you downloaded the software, you would be able to “access hundreds of other domains like .LLL and .RDOS sites.” ಠ_ಠ

By the way, if you’re still interested in that, you can contact the owner at shadow-web@sigaint.org.  Just don’t give him your money, OK?

So, if you can’t access .lll or .rdos sites, why install ChaosVPN? (I kid.)  Well, personally I love the idea that it connects different networks of hackers, and makes communication simpler.

If you read the “Goals” section of the wiki, the creators actually outline the purposes of ChaosVPN:

“Design principals [sic] include that it should be without Single Point of Failure, make usage of full encryption, use RFC1918 ip ranges, scales well on >100 connected networks and is…able to run on a embedded hardware you will find in [today’s] router…

“Therefore we came up with the tinc solution. tinc does a fully meshed peer to peer network and it defines endpoints and not tunnels.

“ChaosVPN connects hacker[s] wherever they are. We connect roadwarriors with their notebook. Servers, even virtual ones in Datacenters, Hackerhouses and hackerspaces. To sum it up we connect networks – maybe down to a small /32.

“So there we are. ChaosVPN is working and it seems [as] the usage increases, more nodes join in and more [services] pop up.” 

(For full text go to ChaosVPN – CCCHHWiki).

I may not be a hacker [yet], but as an investigative tech blogger and aspiring coder, this is definitely something that interests me (and I figured it would interest you too, readers!).

Tinc-erbell? 

tinc_2

 

As the creators of ChaosVPN mention above, the network uses tinc, a VPN “daemon that uses tunneling and encryption to create a secure private network between hosts on the Internet. tinc is Free Software and is licensed under the GNU General Public License version 2 or later,” according to their official site.

“Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software.  This allows VPN sites to share information with each other over the internet without exposing any information to others.” 

Wow – am I wrong in saying that that sounds like some technobabble they would use on CSI: Cyber or something?

69118661

Nope.  It’s 100% accurate!  From the description, this sounds ideal for a VPN designed to connect hackers, as ChaosVPN is intended to do.  I know I’ve been quoting a lot of technobabble in this post, but I felt it was somewhat necessary to get an understanding of how ChaosVPN worked!

I’ll be honest – I’m really not an expert with it yet, and I’m still in the process of building ChaosVPN on my system.  I’m determined to get it working, though, and I thought you all could accompany me along the way!

Wiki of Chaos

The ChaosVPN wiki has a set of excellent how-tos for the following operating systems:

I went with the Ubuntu Howto, since I have that installed on my system.  (When I do finish setting it up, I think that would warrant a sequel to this post.)

No matter which operating system you’re using, you need to install Tinc VPN (mentioned above) first.

Initially, I was going to quote portions of the setup instructions in this post, but the ChaosVPN wiki is currently down.  I should’ve printed them when I had the chance! 

Oh wait, never mind – it’s up again.  Well, perhaps I’ve done enough plagiarizing in this post, but you can look at any of the links above for detailed instructions.

Fortunately, they also have a repository on GitHub: GitHub – ryd/chaosvpn: Config generator for chaosvpn.  I think that should help!

If any of you are able to get the VPN up and running, feel free to let me know.  I’m sure I’ll be able to put it together soon.

Well, that just means we’ll have a part 2 to this post!

In the meantime, I return to my ARG – real life, that is.

 

 

Can You Access Tor on iOS Devices?

As M. Bison would say:

утиные-истории-duck-tales-Magica-De-Spell-NSFW-2198641

Thus far on my articles, I’ve mainly talked about Android devices, so maybe I’m showing a little bias.

The answer, of course, is yes! What I don’t know for certain is how good the various iOS apps are, but I can at least share some of the available offerings.

The three most popular apps available from the iTunes Store (at the moment) are called Onion Browser (by Mike Tigas), Red Onion (by Omar Mody), and VPN Browser, (by Art Fusion).

That’s Just, Like…Your Opinion, Man

Lebowski_Landscpe_LR_RUSSIAN

So, all three of these Tor-powered apps have high ratings on the iTunes Store itself, but those can be misleading – after all, the developers could’ve written them, right?

Since I don’t have a lot of personal experience using these apps, I turned to the community to see what they thought.  The site iPhone.informer features reviews of all kinds of different apps.

Even on there, Red Onion seems to have overwhelmingly positive reviews.  Onion Browser, on the other hand, received mixed reviews.  (Many users complained that it crashes frequently, which is also a problem with the desktop version).

As for the VPN Browser, it also has mainly positive reviews, with the exception of one, who said, “Every time I try to watch a video the app crashes.”  I almost never watch videos on Tor anyway, so that doesn’t concern me!

Internet Is Leaking!

What I’ve heard through the grapevine, on articles like The problem behind mobile Tor browsers’ IP disclosure, is that all three of these apps do work well in terms of being user-friendly, but on the downside, I’ve also heard that they have a serious problem with IP leakage (which would defeat the purpose of using them!).

On the plus side, the developers have apparently fixed these errors in more recent versions of Onion Browser and Red Onion.

mobile browsers' IP disclosure

Screenshot: courtesy of xordern.net

Actually, an update to the above post says that the HTML5 multimedia leak and download-related leaks were fixed in later versions – hopefully that’s no longer a problem.

One of the ways in which IP addresses are leaked on mobile devices is via external HTML5 canvas image data, which is essentially what I was referring to in the May I Have Your Browser Fingerprint? post.

The current version of Tor (or the desktop version, at least) now warns you if a URL attempts to do this (Tor users are probably familiar with this message):

Screen Shot 2014-10-24 at 14.27.28.png

Even if the leak problem is “fixed,” I would still be cautious about using some of these mobile apps to access the Tor network.  There are other methods that can be used to deanonymize users, and the very act of using Tor raises suspicion…

Aww, but I was just looking at pictures of cute cats!! Anyhow, it seems that at the moment, no version of Tor is 100% anonymous, but if you’re careful enough, it may not matter.

Just don’t ask about buying any nuclear missiles, OK?  (I’m serious about that.)