Silk Road forums
Discussion => Silk Road discussion => Topic started by: iaskquestion on November 19, 2012, 08:17 pm
-
WARNING, onion.to is a gateway from the clearnet to .onion sites. I think it's secure as long as you only use it in TOR browser. DO NOT use it in regular FF.
This method has worked for me every time I can't get SR to load.
1:) restart tor
2.) add a ".to" to the url of whatever .onion site that you're trying to establish a connection with. for example silkroadvb5piz3r.onion would become silkroadvb5piz3r.onion.to
3.) If it's your first time using onion.to during that browsing session (which it should be if you did step 1) then there will be a disclaimer. Read the disclaimer and then click continue and wait for the page to load fully.
4.) after the page has loaded fully remove the ".to" in the url and press enter.
5) wait for the page to load and make sure there is no longer a ".to" in the url and that you are indeed connected the real silkroadvb5piz3r.onion before you log in.
6) enjoy your connection!
also, you don't have to remove the ".to" to access SR and u can just brows SR using onion.to. But i would remove it anyway to be safe.
PS. this works for all .onion sites. including the SR forums.
-
Was about to post this earlier but I was opening a new tab which turned out to not work every time, this is much simpler.
But yes, this definitely works!
-
Can any security-heavy users chime in on the validity of this access method? Odds of MITM attack increasing? Phishing attack?
-
Can any security-heavy users chime in on the validity of this access method? Odds of MITM attack increasing? Phishing attack?
it is definitely not a phishing attack because you can log in just fine and it is indeed the real SR.
Idk much about how MITM attacks work so I can't comment on that.
-
I don't think this is a great idea.
If we re talking about anonymity it could be fine considering you are always behind tor, but you include a clearnet site in the path your data follows while visiting SR. This site will know your exit node is trying to reach SR and even your credentials will have to pass through that at some point. Also I don't understand how this will be faster, you are adding an extra tor circuit between you and SR.
-
I don't think this is a great idea.
If we re talking about anonymity it could be fine considering you are always behind tor, but you include a clearnet site in the path your data follows while visiting SR. This site will know your exit node is trying to reach SR and even your credentials will have to pass through that at some point. Also I don't understand how this will be faster, you are adding an extra tor circuit between you and SR.
your credentials would be your tor identity though.
i think it may be faster because it kind of serves as a tunnel that has fast access to SR.
-
can an expert confirm this?
-
your credentials would be your tor identity though.
By credentials I meant your nick and password on SR.
i think it may be faster because it kind of serves as a tunnel that has fast access to SR.
There is no such thing, "onion.to" cannot manipulate every node between itself and SR to choose a faster path. I think the better speed you noticed was mostly by luck.
-
your credentials would be your tor identity though.
By credentials I meant your nick and password on SR.
i think it may be faster because it kind of serves as a tunnel that has fast access to SR.
There is no such thing, "onion.to" cannot manipulate every node between itself and SR to choose a faster path. I think the better speed you noticed was mostly by luck.
it is definitely faster and a more stable connection. I think it might be because the entrance node (?) is fewer hops away from SR than other nodes.
Most of what i'm saying is just pure guesses. you probably know better than me.
-
I could be wrong, but I believe the reason why this works is because onion.to is one hop from the rendezvous point. To speed up connections, onion.to does not build a three-hop circuit to the rendezvous point. SR (or any hidden service) does. So you go to Silk Road through onion.to, which establishes a full circuit through the rendezvous point in fewer hops. Then you remove the .to and your Tor client rebuilds a circuit back to the pre-established rendezvous point. At that point you don't have to wait on SR, because it has already established its circuit.
IF I'm correct about what's happening here, it should be safe. You've simply removed the path through onion.to, and as long as you only accessed onion.to over Tor, your anonymity should be protected. The one issue is that the admin of onion.to could know your rendezvous point and the hidden service you are accessing (if he keeps logs) , but he won't know who you are, and when you rebuild the circuit (after removing .to), your connection no longer proxies through his server so he can't MITM it.
This is the post I was looking for. tyvm
So basically it's perfectly safe if we use TOR browser and we remove the .to before we log in?
-
Nothing is perfectly safe.
One bad thing about this -- IF it works how I think it does -- is that onion.to is picking your rendezvous point when the connection is initially established. Your Tor client should be doing that. What if the onion.to admin also runs the rendezvous point? Then it's no safer than accessing SR through onion.to.
good point.
-
I'm suspicious.
There is definitely something bigger at work going on here, as when the site is totally "down" via tor, using this method still brings me to the correct login page, ignoring that I'm already logged in. If the site won't come up at all via several different tor relay paths, why would this method work if it was indeed simply removing layers of the onion? Removing the .to recreates the problem for me (even after starting with the .to method), so for this to actually be useful during the downtimes I'd have to login with the .to still there. That's the part that seems suspect.
Maybe this thread should be bumped to security to get some guys knowledgeable about the tor infrastructure taking a peek at this and take the guesswork out of what's going on here?
-
By "adding .to" from a Tor browser you:
Use an exit node to visit a clearnet site on the onion.to domain. On that site you type in your login and password.
Eventhough I personally have a fair amount of trust in the service, the design is not safe by Tor/SR standards.
-
I'm suspicious.
There is definitely something bigger at work going on here, as when the site is totally "down" via tor, using this method still brings me to the correct login page, ignoring that I'm already logged in. If the site won't come up at all via several different tor relay paths, why would this method work if it was indeed simply removing layers of the onion? Removing the .to recreates the problem for me (even after starting with the .to method), so for this to actually be useful during the downtimes I'd have to login with the .to still there. That's the part that seems suspect.
Maybe this thread should be bumped to security to get some guys knowledgeable about the tor infrastructure taking a peek at this and take the guesswork out of what's going on here?
did you do step 1?
You have to make sure you do NOT try the regular .onion site first. The very first URL you should be visiting after restarting tor browser is silkroadvb5piz3r.onion.to (maybe your homepage was set to silkroadvb5piz3r.onion?). When silkroadvb5piz3r.onion.to is FULLY loaded then remove the .to from the URL and press enter and wait for the .onion page to load fully before logging in. During this process, if you click "use a new identity" it will screw up your circuit that onion.to established.
Maybe you did everything right and it only works for me and the other people that have been reporting success using this method.