Tor hidden service

downthemall · 17 Apr 2016, 10:21 PM

Hello,

It would be nice to have a hidden service to access Fastmail

ChinaLamb · 18 Apr 2016, 09:24 PM

Quote:

Originally Posted by downthemall

Hello,

It would be nice to have a hidden service to access Fastmail

Fastmail provides very strong SSL connections to their servers -- follow the link and read completely:
https://www.fastmail.com/help/ourservice/security.html

If you are thinking that Tor adds any type of security, you are out of your mind, because it likely increases the scrutiny placed on you:
https://www.reddit.com/r/hacking/com...or_still_safe/
http://www.infosecurity-magazine.com...you-may-think/

My question is, what on earth are you doing that you have to hide you are using fastmail email? The email is secure. Read the first link. You want to hide that you are using Fastmail?

/cl

kijinbear · 18 Apr 2016, 09:52 PM

As ChinaLamb said, every bit of information that you send to and receive from FastMail is already encrypted. So a hidden service would give you just as much security as accessing FastMail through regular Tor exit nodes. (The operator of the exit node will see that someone is using FastMail, but they will not know who it is, nor have access to any actual data you send to and receive from FastMail.)

downthemall · 19 Apr 2016, 05:30 AM

Quote:

Originally Posted by ChinaLamb

You want to hide that you are using Fastmail?

Yes. Either hide or access FM when it's blocked here.

ChinaLamb · 19 Apr 2016, 05:34 AM

Quote:

Originally Posted by downthemall

Yes. Either hide or access FM when it's blocked here.

Use a vpn. Much safer in countries where websites are blocked. TOR brings up a ton of unnecessary scrutiny against yourself. I'd say stay away from TOR unless you want people to think you are doing something illegal.

But, it's your life.

/cl

downthemall · 19 Apr 2016, 06:09 AM

Quote:

Originally Posted by kijinbear

As ChinaLamb said, every bit of information that you send to and receive from FastMail is already encrypted.

Is it? I was thinking about this today. What if a MTM attack goes on with a valid certificate? What if Google changes Chrome to accept a carefully crafted certificate when we access Fastmail? Is the Android Fastmail client hardcoded with the FM certificate?

ChinaLamb · 19 Apr 2016, 08:45 AM

Quote:

Originally Posted by downthemall

Is it? I was thinking about this today. What if a MTM attack goes on with a valid certificate? What if Google changes Chrome to accept a carefully crafted certificate when we access Fastmail? Is the Android Fastmail client hardcoded with the FM certificate?

Fake TOR exit points are much easier to spoof, than to sneak in a valid certificate to a browser like chrome. I have served in places needing high security for 16 years.

Many articles out there on this. TOR use in many countries is not to be trusted, because TOR cannot guarantee exit points. They weed the fake ones out *when they are found*.... *if they are found*... And if one is found, it means it was being used for a while before someone spotted it. Fake exit points are always one step ahead in that game... No way to guarantee...

Even if TOR were as secure as you seem to think it is, you still need a browser. TOR couldnt save you from faked certificates in Chrome.

Besides, If we see google changing chrome to fake certificates & steal your passwords, there will be a lot of class action lawsuits out there and Google will cease to be a company overnight.

The FastMail App has a hard wired certificate. It gives you a warning if someone tries to spoof. I know, someone tried to use fake certificates on me. The app warned me.

/cl

n5bb · 19 Apr 2016, 09:06 AM

FastMail has a smart group of developers who are on top of these things:
https://www.fastmail.com/help/ourservice/security.html

Also see:
https://blog.fastmail.com/2014/05/09...n-more-secure/
https://blog.fastmail.com/2015/03/13...-to-2048-bits/

Bill

downthemall · 19 Apr 2016, 10:03 AM

Thank you, China Lamb!

robn · 19 Apr 2016, 10:09 AM

Quote:

Originally Posted by ChinaLamb

The FastMail App has a hard wired certificate. It gives you a warning if someone tries to spoof. I know, someone tried to use fake certificates on me. The app warned me.

It's not hardwired; it performs exactly the same checks as your browser does - making sure there's a chain of trust back to the trusted certs on your device.

ChinaLamb · 19 Apr 2016, 10:12 AM

Quote:

Originally Posted by robn

It's not hardwired; it performs exactly the same checks as your browser does - making sure there's a chain of trust back to the trusted certs on your device.

My mistake!

downthemall · 19 Apr 2016, 11:33 AM

Quote:

Originally Posted by robn

It's not hardwired; it performs exactly the same checks as your browser does - making sure there's a chain of trust back to the trusted certs on your device.

Not good. Please consider doing it.

robn · 19 Apr 2016, 12:46 PM

Quote:

Originally Posted by downthemall

Not good. Please consider doing it.

It's no less secure than using the FM webapp from your mobile browser.

Adding public key pins and then getting those added to the Chromium and Firefox preload lists will happen this year. Probably sooner rather than later. It shouldn't be hard, but I need to focus - if I screw it up, I lock out everyone

glass · 19 Apr 2016, 08:16 PM

Quote:

Originally Posted by ChinaLamb

Fake TOR exit points are much easier to spoof, than to sneak in a valid certificate to a browser like chrome. I have served in places needing high security for 16 years.

Many articles out there on this. TOR use in many countries is not to be trusted, because TOR cannot guarantee exit points. They weed the fake ones out *when they are found*.... *if they are found*... And if one is found, it means it was being used for a while before someone spotted it. Fake exit points are always one step ahead in that game... No way to guarantee...

Even if TOR were as secure as you seem to think it is, you still need a browser. TOR couldnt save you from faked certificates in Chrome.

[...]

/cl

Everything you've said there is what the advantages of a hidden service is over normal use of Tor. Connections to hidden services don't use exit nodes as the traffic never leaves the network, and the .onion address (which is derived from the fingerprint) is what verifies a hidden service; they don't depend on CA certs (although some sites, eg. Facebook, choose to use TLS and CA certs on top of Tor's encryption).

17 Apr 2016, 10:21 PM	#1
downthemall Member Join Date: Oct 2010 Posts: 65	Tor hidden service Hello, It would be nice to have a hidden service to access Fastmail

18 Apr 2016, 09:52 PM	#3
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	As ChinaLamb said, every bit of information that you send to and receive from FastMail is already encrypted. So a hidden service would give you just as much security as accessing FastMail through regular Tor exit nodes. (The operator of the exit node will see that someone is using FastMail, but they will not know who it is, nor have access to any actual data you send to and receive from FastMail.)

19 Apr 2016, 09:06 AM	#8
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,929	FastMail has a smart group of developers who are on top of these things: https://www.fastmail.com/help/ourservice/security.html Also see: https://blog.fastmail.com/2014/05/09...n-more-secure/ https://blog.fastmail.com/2015/03/13...-to-2048-bits/ Bill

19 Apr 2016, 10:03 AM	#9
downthemall Member Join Date: Oct 2010 Posts: 65	Thank you, China Lamb!