i2p

[Seth King]

I just "discovered" i2p a few hours ago. Went through the easy installation process and did some browsing. It's very much like Tor, only a lot less popular. I guess Tor isn't really that popular. But it's definitely grown since Silk Road came online.

Tor is a way to browse the internet anonymously. It's supposedly VERY secure if you only visit other .onion sites. Those are anonymous domains that really cannot be shut down by the government. i2p is the same way where you visit .i2p sites. End to end encryption. But with Tor you can access the regular internet, which is where you have exit nodes, which is where the vulnerability comes from. i2p, you can't really access the regular internet. Technically, you can. There are ways, but again i2p is not really built for browsing the regular internet. It's for creating a whole new encrypted and secure internet.

Right now it looks like i2p is mostly used to engage in illegal activities that you cannot do out in the open on the regular internet. I suppose that only makes sense. Why would anybody put their website on i2p if your content is legal? You're only stumping the number of users to view your site by requiring they have i2p installed. Still, as more and more content becomes illegal around the world, software like i2p and Tor will grow in popularity.

It's really just a network. The bigger it gets the more kinds of content you'll get. But that network isn't likely to grow unless the easy and open internet(regular internet) becomes too burdened by regulations.

Anybody have any use for i2p that's not illegal?

And another thing. If anybody finds a kickass website on i2p let me know. Silk Road really brought Tor and Bitcoin to the spotlight. It'd be interesting if we got the first scoop into the next big thing on i2p.

[rahvin]

So then, does that mean Tor is not secure on regular websites?

[Seth King]

So then, does that mean Tor is not secure on regular websites?

I think it's MORE secure. But an organization that has considerable resources, or if the exit node ITSELF is hostile, then you're at risk. That's my understanding anyway. I could be wrong.

Basically, the internet as it is now is F'ed. It's not really Tor's fault or i2p's fault for the insecurity. A good analogy is Bitcoin.

When transferring Bitcoins to and from other people for goods and services, it's fairly easy and is as anonymous as you want it to be. But when you start trying to buy and sell dollars through the exchanges(i.e. BANKS) using Bitcoin, then you're going to lose your anonymity. It's anytime you go OUTSIDE of the Bitcoin network are you jeopardizing your privacy. The same holds true with anonymous internet software.

Personally, I feel the same way about the anonymous internet software as I do Bitcoin. My goal is to get to the point where I can get all of the goods and services I want using Bitcoin, NEVER having to touch FRN's again. But the only way to do that is to convince more and more people to join the Bitcoin network, which I am attempting to do both on this website and in my local community.

I haven't really tried very hard to get more people to use anonymous internet software. The problems are the same. I'd like to get to the point where I can browse all of my internet sites without having to do so through the ICANN DNS, government controlled internet. But I won't be able to do that until I convince more and more sites to go anonymous. *sigh*

[AgoristTeen1994]

This sort of thing is why I love Project Meshnet so much...if you don't know what that is head over to www.reddit.com/r/darknetplan

[Seth King]

Every time I check out meshnet, I never see any progress made or anything I can actual do.

[Script]

So then, does that mean Tor is not secure on regular websites?

Depends how you use it.  I'm learning it's not quite as secure as I thought when I first learned about  it.

[AgoristTeen1994]

Every time I check out meshnet, I never see any progress made or anything I can actual do.

Technically there has been progress. For example CJDNS has come out. That's a routing protocol that while it works over the internet the creator of it is working on getting it so it can work like a true mesh net. And you might want to check out the IRC channel...more discussion is done there than on the subreddit.

[Huxley]

To clear up a few things, here is where the vulnerability lies within the TOR network.

Essentially, tor will route your connection through various computer set up in the tor system. Eventually, it will hit an "exit" node. The exit node will interact with the site you're trying to access and will send all that information back through the other nodes you went through and then back to you.
While inside of the tor network the information you send is encrypted and safe. When it hits the exit node and needs to be transported to a different site is when it can be intercepted, usually by the exit node itself, as some exit nodes are malicious and are only used to steal data.

One way to combat this is to use HTTPS as much as possible, wherever possible. HTTPS will encrypt the data to and from the exit node to the system you're accessing and thus the exit node will be unable to intercept your data as is, but rather, will get the encrypted data.

I hope this helps some people understand it a bit better!

[Seth King]

To clear up a few things, here is where the vulnerability lies within the TOR network.

Essentially, tor will route your connection through various computer set up in the tor system. Eventually, it will hit an "exit" node. The exit node will interact with the site you're trying to access and will send all that information back through the other nodes you went through and then back to you.
While inside of the tor network the information you send is encrypted and safe. When it hits the exit node and needs to be transported to a different site is when it can be intercepted, usually by the exit node itself, as some exit nodes are malicious and are only used to steal data.

One way to combat this is to use HTTPS as much as possible, wherever possible. HTTPS will encrypt the data to and from the exit node to the system you're accessing and thus the exit node will be unable to intercept your data as is, but rather, will get the encrypted data.

I hope this helps some people understand it a bit better!

But this vulnerability does not exist if you do not visit non-Tor(.onion) sites, correct?

[Huxley]

But this vulnerability does not exist if you do not visit non-Tor(.onion) sites, correct?

That's correct, as there is no need for an exit node, since .onion sites lie within the tor network. You're just connecting to an internal node via an internal TOR DNS.

The vulnerabilities within the tor network is mainly phishing in regards to large sites like silk road. Before silk road had their newer .onion link with the name in it, they had a generic random string link and people would create phishing sites quite easily and link people to those sites. Silk Road accounts hold bit coins and by phishing them, they could be stolen from the user.

Similar things can happen with similar websites within the tor network.
The best way to combat this is to verify the .onion link you are working with is the correct one by using the torch tor search engine as well as a few other ones.

[Seth King]

I still don't understand why, exactly, the web addresses of .onion sites must be so convoluted. Within the .i2p network web addresses are coherent. Would you consider i2p to be more or less secure than Tor?

[Script]

To clear up a few things, here is where the vulnerability lies within the TOR network.

Essentially, tor will route your connection through various computer set up in the tor system. Eventually, it will hit an "exit" node. The exit node will interact with the site you're trying to access and will send all that information back through the other nodes you went through and then back to you.
While inside of the tor network the information you send is encrypted and safe. When it hits the exit node and needs to be transported to a different site is when it can be intercepted, usually by the exit node itself, as some exit nodes are malicious and are only used to steal data.

One way to combat this is to use HTTPS as much as possible, wherever possible. HTTPS will encrypt the data to and from the exit node to the system you're accessing and thus the exit node will be unable to intercept your data as is, but rather, will get the encrypted data.

I hope this helps some people understand it a bit better!

I understand this, but also you have to keep an eye on scripts and flash, correct? It's best just to disable all scripts and flash capabilities on whatever browser you are using as they can lead to vulnerabilities.  Also, some browsers and applications leak DNS data which can be used to identify what websites you are visiting.  Using Privoxy as a filter on top of Tor seems like a good solution but I have to learn more about how Privoxy works.

[Huxley]

I understand this, but also you have to keep an eye on scripts and flash, correct? It's best just to disable all scripts and flash capabilities on whatever browser you are using as they can lead to vulnerabilities.  Also, some browsers and applications leak DNS data which can be used to identify what websites you are visiting.  Using Privoxy as a filter on top of Tor seems like a good solution but I have to learn more about how Privoxy works.

Yes, which is why if you get the tor browser it comes with noscript and a flash blocking plugin.
As you use tor more and more you'll find you don't truly need scripts and flash all that often.

Yes, privoxy is a great tool to use, and if you'd like to know a bit more about their features I'd suggest this page: http://www.privoxy.org/user-manual/introduction.html#FEATURES.

I still don't understand why, exactly, the web addresses of .onion sites must be so convoluted. Within the .i2p network web addresses are coherent. Would you consider i2p to be more or less secure than Tor?

They are actually automatically generated at the creation time of the site based on some public key, if my understanding is correct. Thus, the site has very limited control over their address(One would think they have no control, but silkroad has silkroad in their onion like, so there must be some method to it).
I've not used i2p extensively, so I can't really give a good answer here. Give me some time to fiddle around with it, once I've got some free time, perhaps I'll publish an article for you all.

One thing to note, I never access your website without tor, per habit. I signed up with an anonymous email using tormail, and I must say you're one of the only sites online I've found that accepts tormail, and I'm very grateful.

[Seth King]

I understand this, but also you have to keep an eye on scripts and flash, correct? It's best just to disable all scripts and flash capabilities on whatever browser you are using as they can lead to vulnerabilities.  Also, some browsers and applications leak DNS data which can be used to identify what websites you are visiting.  Using Privoxy as a filter on top of Tor seems like a good solution but I have to learn more about how Privoxy works.

Yes, which is why if you get the tor browser it comes with noscript and a flash blocking plugin.
As you use tor more and more you'll find you don't truly need scripts and flash all that often.

Yes, privoxy is a great tool to use, and if you'd like to know a bit more about their features I'd suggest this page: http://www.privoxy.org/user-manual/introduction.html#FEATURES.

I still don't understand why, exactly, the web addresses of .onion sites must be so convoluted. Within the .i2p network web addresses are coherent. Would you consider i2p to be more or less secure than Tor?

Give me some time to fiddle around with it, once I've got some free time, perhaps I'll publish an article for you all.

One thing to note, I never access your website without tor, per habit. I signed up with an anonymous email using tormail, and I must say you're one of the only sites online I've found that accepts tormail, and I'm very grateful.

That's news to me!  One way this site rocks that even I was unaware of!

I would definitely like an in-depth article explaining the ins and outs of i2p.

[braindead0]

I still don't understand why, exactly, the web addresses of .onion sites must be so convoluted. Within the .i2p network web addresses are coherent. Would you consider i2p to be more or less secure than Tor?

So that the address itself doesn't leak information, that's the basic premise.

As far as i2p, much of the potential security lies in the implementation details.  Most people aren't prepared to review all of the source code involved, or equipped with the knowledge necessary to determine how secure/insecure any system is.   Most people will simply need to read up, decide what sources of information they trust and base usage/trust on that.

Generally these systems are sufficiently complex that there is no way for them to be 100% secure, this holds true for any complex system.  Simple systems such as pgp encrypted email for example are much more likely to withstand attacks that a complex network system (tor, i2p, freenode, etc) as there are simply more attack methods to pursue and secure.

Trust no system completely would be the take away here ;-)