Bitcoin Forum>Economy>Marketplace>Services
Pages:
Author

Topic: [ANNOUNCE] TORwallet - anonymous mixing wallet service - page 6. (Read 29583 times)

rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 12:16:33 PM
#99
Quote from: jl2012 on June 27, 2012, 12:14:18 PM
Quote from: rjk on June 27, 2012, 12:09:14 PM
I know you meant that, and you are incorrect. The private key of the SSL certificate is stored on the .onion site, not on the torwallet.net server. Perhaps you should look closer at how socat works: it has the option to serve up its own certificate, but that is not in use here. It is simply concatenating data between ports 443 and 9050, in both directions.

I mean the private key of the SSL certificate of torwallet.net, not the SSL certificate of the .onion site ......
The SSL private key for torwallet.net is stored on the .onion server, and the .onion server does all the encryption and decryption. That's why it's a little slow; all the traffic must pass through tor first to get to and from the remote .onion server

torwallet.net does not have a private key of its own stored on it or in use for it.
jl2012
legendary
Activity: 1792
Merit: 1111
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 12:14:18 PM
#98
Quote from: rjk on June 27, 2012, 12:09:14 PM
Quote from: jl2012 on June 27, 2012, 12:07:13 PM
Quote from: rjk on June 27, 2012, 11:57:54 AM
Quote from: jl2012 on June 27, 2012, 11:40:05 AM
Quote from: rjk on June 27, 2012, 10:52:37 AM
Quote from: jl2012 on June 27, 2012, 10:49:24 AM
Quote from: rjk on June 27, 2012, 08:10:14 AM
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.

One the torwallet.net page it claims "Seizing or hacking this server will have no effect on TORwallet's services and gain you no bitcoins, only our wrath", but this is wrong. If the torwallet.net server is hacked, the private key of the SSL certificate is exposed, and the hacker will know the URL query strings
That is not correct. Torwallet.net does not contain any private keys, and it is a separate server from the .onion site. They are not hosted on the same server. Not sure what's so hard to understand about that.

I mean private key of the SSL certificate, not private key of BTC accounts. Not sure what's so hard to understand about that......
I know you meant that, and you are incorrect. The private key of the SSL certificate is stored on the .onion site, not on the torwallet.net server. Perhaps you should look closer at how socat works: it has the option to serve up its own certificate, but that is not in use here. It is simply concatenating data between ports 443 and 9050, in both directions.

I mean the private key of the SSL certificate of torwallet.net, not the SSL certificate of the .onion site ......
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 12:09:14 PM
#97
Quote from: jl2012 on June 27, 2012, 12:07:13 PM
Quote from: rjk on June 27, 2012, 11:57:54 AM
Quote from: jl2012 on June 27, 2012, 11:40:05 AM
Quote from: rjk on June 27, 2012, 10:52:37 AM
Quote from: jl2012 on June 27, 2012, 10:49:24 AM
Quote from: rjk on June 27, 2012, 08:10:14 AM
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.

One the torwallet.net page it claims "Seizing or hacking this server will have no effect on TORwallet's services and gain you no bitcoins, only our wrath", but this is wrong. If the torwallet.net server is hacked, the private key of the SSL certificate is exposed, and the hacker will know the URL query strings
That is not correct. Torwallet.net does not contain any private keys, and it is a separate server from the .onion site. They are not hosted on the same server. Not sure what's so hard to understand about that.

I mean private key of the SSL certificate, not private key of BTC accounts. Not sure what's so hard to understand about that......
I know you meant that, and you are incorrect. The private key of the SSL certificate is stored on the .onion site, not on the torwallet.net server. Perhaps you should look closer at how socat works: it has the option to serve up its own certificate, but that is not in use here. It is simply concatenating data between ports 443 and 9050, in both directions.
jl2012
legendary
Activity: 1792
Merit: 1111
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 12:07:13 PM
#96
Quote from: rjk on June 27, 2012, 11:57:54 AM
Quote from: jl2012 on June 27, 2012, 11:40:05 AM
Quote from: rjk on June 27, 2012, 10:52:37 AM
Quote from: jl2012 on June 27, 2012, 10:49:24 AM
Quote from: rjk on June 27, 2012, 08:10:14 AM
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.

One the torwallet.net page it claims "Seizing or hacking this server will have no effect on TORwallet's services and gain you no bitcoins, only our wrath", but this is wrong. If the torwallet.net server is hacked, the private key of the SSL certificate is exposed, and the hacker will know the URL query strings
That is not correct. Torwallet.net does not contain any private keys, and it is a separate server from the .onion site. They are not hosted on the same server. Not sure what's so hard to understand about that.

I mean private key of the SSL certificate, not private key of BTC accounts. Not sure what's so hard to understand about that......
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 11:57:54 AM
#95
Quote from: jl2012 on June 27, 2012, 11:40:05 AM
Quote from: rjk on June 27, 2012, 10:52:37 AM
Quote from: jl2012 on June 27, 2012, 10:49:24 AM
Quote from: rjk on June 27, 2012, 08:10:14 AM
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.

One the torwallet.net page it claims "Seizing or hacking this server will have no effect on TORwallet's services and gain you no bitcoins, only our wrath", but this is wrong. If the torwallet.net server is hacked, the private key of the SSL certificate is exposed, and the hacker will know the URL query strings
That is not correct. Torwallet.net does not contain any private keys, and it is a separate server from the .onion site. They are not hosted on the same server. Not sure what's so hard to understand about that.
jl2012
legendary
Activity: 1792
Merit: 1111
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 11:40:05 AM
#94
Quote from: rjk on June 27, 2012, 10:52:37 AM
Quote from: jl2012 on June 27, 2012, 10:49:24 AM
Quote from: rjk on June 27, 2012, 08:10:14 AM
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.

One the torwallet.net page it claims "Seizing or hacking this server will have no effect on TORwallet's services and gain you no bitcoins, only our wrath", but this is wrong. If the torwallet.net server is hacked, the private key of the SSL certificate is exposed, and the hacker will know the URL query strings
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 10:52:37 AM
#93
Quote from: jl2012 on June 27, 2012, 10:49:24 AM
Quote from: rjk on June 27, 2012, 08:10:14 AM
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
That's correct, however URL query strings are encrypted when using SSL, so they can't be sniffed. If someone tried to MITM after compromising Torwallet.net, the SSL certificate would have a different fingerprint and it would be detected as an error, since you have created a special exemption in your browser for that specific fingerprint.
jl2012
legendary
Activity: 1792
Merit: 1111
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 10:49:24 AM
#92
Quote from: rjk on June 27, 2012, 08:10:14 AM
Quote from: jl2012 on June 27, 2012, 12:03:04 AM
Quote from: TORwallet on June 25, 2012, 04:35:33 PM
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.

Quote from: TORwallet on June 22, 2012, 03:34:40 PM
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.

Hacking of torwallet.net will expose absolutely nothing. https://torwallet.net is nothing more than a proxy, and actually has more in common with a port forward in your router. It doesn't even understand http and does nothing more than pipe data through tor.

In fact, here is the command we use.
socat openssl-listen:443,fork,reuseaddr,su=nobody socks4a:127.0.0.1:nci2szjrwjqw2zbi.onion:80,socksport=9050

Hacking of nci2szjrwjqw2zbi.onion would reveal current balances, however the attack surface is limited to a single port.

Just for example, I have the following wallet: https://www.torwallet.net/w/c85f0c2c5347caf6b302cebabed0e93c3ce023d6739b1e502128cbaa7042eddb

Therefore, anyone who knows the code "c85f0c2c53.............." can redeem all coins in my wallet.

A hacker can obtain the private key of torwallet.net's certificate, and he will learn the code "c85f0c2c53.............."
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.

The hacker don't need the wallet private key to withdraw BTC. Only the secret codes are needed
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 08:10:14 AM
#91
Quote from: jl2012 on June 27, 2012, 12:03:04 AM
Quote from: TORwallet on June 25, 2012, 04:35:33 PM
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.

Quote from: TORwallet on June 22, 2012, 03:34:40 PM
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.

Hacking of torwallet.net will expose absolutely nothing. https://torwallet.net is nothing more than a proxy, and actually has more in common with a port forward in your router. It doesn't even understand http and does nothing more than pipe data through tor.

In fact, here is the command we use.
socat openssl-listen:443,fork,reuseaddr,su=nobody socks4a:127.0.0.1:nci2szjrwjqw2zbi.onion:80,socksport=9050

Hacking of nci2szjrwjqw2zbi.onion would reveal current balances, however the attack surface is limited to a single port.

Just for example, I have the following wallet: https://www.torwallet.net/w/c85f0c2c5347caf6b302cebabed0e93c3ce023d6739b1e502128cbaa7042eddb

Therefore, anyone who knows the code "c85f0c2c53.............." can redeem all coins in my wallet.

A hacker can obtain the private key of torwallet.net's certificate, and he will learn the code "c85f0c2c53.............."
However, he cannot obtain the private key by hacking torwallet.net. He can only obtain it by hacking the onion site itself. That socat tool is pretty damn cool; I've added it to my arsenal.

Most .onion sites don't bother having SSL enabled because Tor provides encryption... but for external access, this is a perfect example of how to use it.
jl2012
legendary
Activity: 1792
Merit: 1111
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 27, 2012, 12:03:04 AM
#90
Quote from: TORwallet on June 25, 2012, 04:35:33 PM
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.

Quote from: TORwallet on June 22, 2012, 03:34:40 PM
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.

Hacking of torwallet.net will expose absolutely nothing. https://torwallet.net is nothing more than a proxy, and actually has more in common with a port forward in your router. It doesn't even understand http and does nothing more than pipe data through tor.

In fact, here is the command we use.
socat openssl-listen:443,fork,reuseaddr,su=nobody socks4a:127.0.0.1:nci2szjrwjqw2zbi.onion:80,socksport=9050

Hacking of nci2szjrwjqw2zbi.onion would reveal current balances, however the attack surface is limited to a single port.

Just for example, I have the following wallet: https://www.torwallet.net/w/c85f0c2c5347caf6b302cebabed0e93c3ce023d6739b1e502128cbaa7042eddb

Therefore, anyone who knows the code "c85f0c2c53.............." can redeem all coins in my wallet.

A hacker can obtain the private key of torwallet.net's certificate, and he will learn the code "c85f0c2c53.............."
TORwallet
newbie
Activity: 41
Merit: 0
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 25, 2012, 04:35:33 PM
#89
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.

Quote from: TORwallet on June 22, 2012, 03:34:40 PM
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.

Hacking of torwallet.net will expose absolutely nothing. https://torwallet.net is nothing more than a proxy, and actually has more in common with a port forward in your router. It doesn't even understand http and does nothing more than pipe data through tor.

In fact, here is the command we use.
socat openssl-listen:443,fork,reuseaddr,su=nobody socks4a:127.0.0.1:nci2szjrwjqw2zbi.onion:80,socksport=9050

Hacking of nci2szjrwjqw2zbi.onion would reveal current balances, however the attack surface is limited to a single port.
davout
legendary
Activity: 1372
Merit: 1008
1davout
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 25, 2012, 04:16:05 PM
#88
Quote from: rjk on June 25, 2012, 09:27:01 AM
Quote from: davout on June 25, 2012, 04:20:54 AM
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.
badum-tssss
Same goes for your service, just depends on who gets hacked first.
http://xkcd.com/703/
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 25, 2012, 09:27:01 AM
#87
Quote from: davout on June 25, 2012, 04:20:54 AM
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.
badum-tssss
Same goes for your service, just depends on who gets hacked first.
davout
legendary
Activity: 1372
Merit: 1008
1davout
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 25, 2012, 04:20:54 AM
#86
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.
badum-tssss
Gladamas
sr. member
Activity: 294
Merit: 250
Bitcoin today is what the internet was in 1998.
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 24, 2012, 11:08:39 PM
#85
Quote from: jl2012 on June 24, 2012, 10:43:00 PM
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.

Quote from: TORwallet on June 22, 2012, 03:34:40 PM
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.

Can't they encrypt the code?  Undecided
jl2012
legendary
Activity: 1792
Merit: 1111
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 24, 2012, 10:43:00 PM
#84
Although you do not have a wallet on torwallet.net, hacking of torwallet.net will expose the secret code, and thus the balance of the accounts of those who use torwallet.net.

Quote from: TORwallet on June 22, 2012, 03:34:40 PM
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.
TORwallet
newbie
Activity: 41
Merit: 0
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 22, 2012, 03:34:40 PM
#83
It is impossible for google or anyone else to find the link to a TORwallet unless it has been posted somewhere. Those instawallet links were most likely indexed by google visiting instawallet.org and being redirected to a new wallet.

We are working on adding an optional password field to the site. We are waiting for our developer to get back from vacation.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 22, 2012, 09:14:53 AM
#82
Quote from: Raoul Duke on June 22, 2012, 09:14:18 AM
Quote from: rjk on June 22, 2012, 09:08:32 AM
And that BS about Gmail was retarded, they don't index or publish your mail, they just scan it for keywords to provide relevant advertising.

That and stalk teenagers...

Keep drinking the koolaid.
Yeah that too lol. I forgot about that one.
Raoul Duke
legendary
Activity: 1358
Merit: 1002
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 22, 2012, 09:14:18 AM
#81
Quote from: rjk on June 22, 2012, 09:08:32 AM
And that BS about Gmail was retarded, they don't index or publish your mail, they just scan it for keywords to provide relevant advertising.

That and stalk teenagers...

Keep drinking the koolaid.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
Re: [ANNOUNCE] TORwallet - anonymous mixing wallet service
June 22, 2012, 09:08:32 AM
#80
Quote from: topikwm on June 22, 2012, 07:41:52 AM
Quote from: Ente on June 22, 2012, 05:44:25 AM
Form googlemail directly? I can not believe that.. Who in their right mind would do that?

There are other options: "Google Toolbar", Chrome.. but it does not matter.

Quote from: davout on June 22, 2012, 05:42:45 AM
Google indexes stuff that people publish, it does not do black magic.

Google know about 1560 URLs (by screenshot)
For safety reasons, he showed you only the first 170, but there are other ways to get those links.

But the problem is not in Google. The problem is that even Google can find a lot of URLs.
What you don't understand is that simply visiting the root of the instawallet site (and Torwallet too) redirects you to a new virgin wallet without clicking any buttons. When this happens, the URL changes, so Google indexes a new URL each time, because it doesn't understand what happened and it thinks that there is new content to be shown to search users. IT CANNOT AND WILL NOT DISCOVER EXISTING URLS UNLESS THEY ARE SPECIFICALLY PUBLISHED.

And that BS about Gmail was retarded, they don't index or publish your mail, they just scan it for keywords to provide relevant advertising.
Pages:
Bitcoin Forum>Economy>Marketplace>Services
Jump to: