Home » Jolly Roger’s Security Guide for Beginners » INTRODUCTiON TO SECURE COMMUNICATION – TOR, HTTPS, SSL
Click Here To Hide Tor

INTRODUCTiON TO SECURE COMMUNICATION – TOR, HTTPS, SSL

Greetings comrades.

Through my research I have put together some security measures that should be considered by everyone. The reason I put this together is mainly for the newbies of this forum. But if I can help anyone out, then I am grateful for this. I would like to start out by saying, if you are reading like, you are likely a Silk Road user. If this is the case, then the #1 thing you must be using to even access this form is Tor. Tor will provide you with a degree of anonymity by using an 128-bit AES (Advanced Encryption Standard). There has been some debate as to whether or not the NSA can crack this code, and the answer is likely yes. This is why, you should never send anything over Tor that you aren’t comfortable sharing with the entire world unless you are using some sort of PGP encryption which we will talk about later.

Communication from your computer, to the internet relies on an entry node which basically “enters your computer” into the Tor network. This entry node communicates with your computer, this entry node knows your IP address. The entry node then passes your encrypted request onto the relay node. The relay node communicates with the entry node and the exit node but does not know your computer’s IP address. The exit node, is where your request is decrypted and sent to the internet. The exit node does not know your computer’s IP, only the IP of the relay node. Using this model of 3 nodes it makes it harder, but not impossible to correlate your request to your original IP address.

The problem comes obviously when you are entering plain text into TOR because anybody can set up an exit node. The FBI can set up an exit node, the NSA, or any other foreign government, or any malicious person who may want to steal your information. You should not be entering any sensitive data into any websites, especially when accessing them over TOR. If any of the nodes in the chain are compromised, and some likely are, and the people in charge of those compromised nodes have the computing power to decrypt your request, then you better hope it wasn’t anything sensitive.

So what can we do to fix this? Well, luckily we are now having more and more servers that are offering something called Hidden services. You can easily recognize these services by the address .onion.top. These services offer what’s called end-to-end encryption. What this does is take the power out of the compromised exit nodes and put them back in your hands. The web server of the hidden service now becomes your exit node, which means the website you are visiting is the one decrypting your message, not some random exit node ran by a potential attacker. Remember, the exit node has the key to decrypt your request. The exit node can see what you are sending in clear text once they decrypt it. So if you are entering your name and address into a field, the exit node has your information. If you are putting a credit card, a bank account, your real name, even your login information, then you are compromising your identity.

Another step you can take, is to only visit websites that use something called HTTP Secure. You can tell if the website you are visiting is using HTTP Secure by the prefix at the beginning of the address. If you see https:// then your website is using HTTP Secure. What this does is encrypts your requests so that only the server can decrypt them, and not somebody eavesdropping on your communication such as a compromised Tor exit node. This is another form of end-to-end encryption. If somebody were to intercept your request over HTTP Secure, they would see encrypted data and would have to work to decrypt it.

Another reason you want to use HTTPS whenever possible, is that malicious Tor nodes can damage or alter the contents passing through them in an insecure fashion and inject malware into the connection. This is particularly easier when you are sending requests in plain text, but HTTPS reduces this possibility. You must be made aware however, that HTTPS can also be currently cracked depending on the level of the key used to encrypt it. When you visit a website using HTTPS, you are encrypting your request using their public key and they are decrypting it using their private key. This is how cryptography works. A public key is provided to those who want to send an encrypted message and the only one who can decrypt is the one with the private key.

Unfortunately, many websites today are still using private keys that are only 1,024 bits long which in today’s world are no longer enough. So you need to make sure you find out which level of encryption the website you are visiting uses, to make sure they are using at a minimum 2,048, if not 4,096 bits. Even doing all of this unfortunately is not enough, because we have another problem. What happens if the web server itself has become compromised? Maybe your TOR nodes are clean, maybe you have used HTTPS for all your requests, but the web server itself of the website you are visiting has been compromised. Well then all your requests are again, as good as plain text.

With that being said, this will conclude the first post in this series of the steps we can take to protect our privacy online, to remain anonymous and maintain our freedom.

20 comments

  1. Tor hasn’t used AES-128 for at least a year. They switched to ed25519 (eliptic curve) and the newer clients force at least one of the three hops to use it.

  2. So If we are on an onion site using https encryption, then it is difficult for anyone to read or alter any information sent through the nodes? Also if the https server is compromised then can they trace my original ip address or does that still hidden by my entry node?
    Thanks in advance

  3. Need help getting in

  4. [can someone walk me through I am not a computer person

    • Eleanor

      Joe can you tell me when I open the tor box do I type the web adress in thetop box next to the onion or do I type in the search box in middle of screen Could you tell me steps to get on dream market? i figure you may know now based on seeing your question for someone to walk you through it Thanks for your help

  5. odd didn’t need special DE-encrypter to read page as stated

  6. What are you doing on a forum regarding the deep web if you aren’t a computer person?

    • Ingrid

      what are you doing up @ 6 am if your not an A person :-P Heheh sorry just a joke but ye probably he is interested in staying anonymous online. alotta peeps arent good at computers but still use them. They just need some1 to walk them thru how! :-)

    • FoxyRoxy

      Learning how to become adept at computers…. person like I am, lol

  7. I’d love to save my world, but i don’t know what to do…So here i’m asking you.

    IS this enough? To whom much is given much is required, so i have given much and I still need to know what is required. Please inform please

    • Gittit666

      Jolly Rogers post for newbies got me thru it. I was’nt computer savvy but with the posts from people that are I am gradually getting there. Take it one step at a time and don’t stop until you get it. Research each process. The forums are packed with info on every aspect of the dark web. Please have faith in yourselves. Youre probably smarter than you think. If you have a learning disability,ask a close friend that you trust 100% for help. Quitters never win!!! Good luck and stay safe.

  8. Hello, I didn’t get a reply, so i’ll ask again. I have TOR and a VPN, is this enough?

    • I don’t know a lot but it seems nothing is completely anonymous. I have read so many conflicting opinions, some say not to use VPN with tor. I don’t know enough to give you a qualified answer, all I can say is keep reading forums, sites, etc… sooner or later you should be able to formulate your own educated opinion.

    • john harrow

      It depends on how hard someone wants to spy on you. If you tick off you ex-wife you are safer than if you tick off a PI than if you tick off a super powered government agency.

    • StillLearning

      Some VPNs are not secure. The VPNs that track your log in your information everytime you use it are the unsecure VPNs. Some VPNs keep logs of users’ IP addresses and logon/off times. If they do this, don’t use them because the government will get this information from those VPNs. It is best to use a VPN that does not track your logins and you should use a VPN that the government can’t get at, like in countries that don’t assist the government.

  9. Https does not use public and private keys (asymmetrichtig cryptography); thats way too much computing for the amount of traffic. It uses symmetric crypto. PGP does use asymmetric crypto though.

    • Not correct – it uses both. The symmetric key is used for the bulk of data crypto but, since it’s symmetric, you need a way to send it to the client securely, right :) That’s where the asymmetric part comes in – that’s used to securely exchange pleasantries between client/server (mutual auth, private keys, etc.) and then you effectively have a TLS “tunnel.”

      Also – this applies not just to HTTPS. It works this way for any service using TLS (hopefully not SSL anymore). So, if you want to use it, you’ll need a server cert and don’t use self-signed!

  10. Right answer is to own yours private reverse proxies with nonstandard encryption and strong minimum AES 256bit key. If you want buy it from dedicated forums or bot shops or just made some cont for yourself using cracked Bot ot Remote Admin tools with build in reverse encrypted socks5 functionality. One of the best way to fake detecting you with traffic correlation between nodes is to put some looped trash traffic inside your first and exit node. This can be done easy by pinging your last exit node using simple random pinging app or just with custom TCP random packet sender pointed to your Exit Node open port.

  11. FOR SECURITY I have a excellent VPN and I downloaded the most updated version of TOR When I want to log in on a dark website Which I know the url by memory do I type that in to the tor website box at the top of the page or do I type it in the square in the middle which says to search with duck duck go I AM A DUMB ASS WHEN IT COMES TO TECH

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Captcha: *