• lurkerlady [she/her]@hexbear.net
    link
    fedilink
    English
    arrow-up
    24
    ·
    edit-2
    3 months ago

    Tor can be very dangerous if you don’t compartmentalize it enough and use the wrong software with it. Its pretty well documented that if you request a normal http page (not https) malicious tor nodes are constantly checking for it so they can attempt to serve you bad shit to steal info. You never really know when your computer on say, a windows machine, will make a bad request. So it becomes imperative to use operating systems and technologies that limit that issue. (Re: use tor only on the tor browser, or use qubes+whonix to compartmentalize potential bad requests).

    The most secure ‘every day’ thing someone can do is use almost any linux distro, mullvad browser (or a normal hardened firefox), and a trusted vpn (proton, mullvad, ivpn, out of these three mullvad is probably the best).

    the most secure thing possible (re dont do this its ridiculous for 99.9% of people) is probably a sneaky self-made wireguard vpn entry node + tor + qubes/whonix. and by sneaky wireguard vpn i mean doing stuff and things in order to not pay for an ISP with your vpn server. that means you have pivpn or something setup on a hidden raspberry pi on a network you probably dont have permission to run vpns on.

    • FumpyAer [any, comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      3 months ago

      You should never be on a regular http site though and every browser has a scare page or a red alert icon in the URL space telling you not to. Simply listen to it and don’t go there.

      Tor with JavaScript disabled is one of the most secure and private tools we have, since it protects against browser fingerprinting.

      Don’t go to sites without https under any circumstances.

      Edit: you can enable https only mode on Firefox or Tor browser using these instructions: https://support.mozilla.org/en-US/kb/https-only-prefs#w_enabledisable-https-only-mode

      • FumpyAer [any, comrade/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        5
        ·
        3 months ago

        And I agree with the other part you said about not using clearnet accounts on your Tor browser. That’s arguably more important than Tor vs Mullvad vs tor + vpn distinction.

      • lurkerlady [she/her]@hexbear.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        3 months ago

        So like, unless youre really digging into wireshark or something over a long time, you really dont know what connections are encrypted or unencrypted coming from your OS. Thats more what I’m referring to. Certain OSes like whonix have safeguards for this, and linux in general is much better about this. Its hypothetically possible a malicious actor could hijack an operation that isnt encrypted coming from your OS to bork you.

        And yeah tor browser on its own without JS and high tracking prevention is the way to go if you dont want a big hassle dealing with your OS. I was more referring to TORing all of your computer traffic, which should only be done with specific OSes. Mullvad browser with vpn is fine for the vast majority of people and it doesnt reduce speed a lot like TOR does.

        • FumpyAer [any, comrade/them]@hexbear.net
          link
          fedilink
          English
          arrow-up
          4
          ·
          edit-2
          3 months ago

          Any sensitive data you submit or get served on that site can be intercepted, read, or possibly changed on the way to you (called a “man in the middle” attack). Including your location data, credit card info, username, password, etc.

          A vpn could mitigate this somewhat, but it would still be unencrypted between their network out point and the site’s server.

          I’d also call it a red flag in terms of their security. If they aren’t competent/diligent enough to implement SSL encryption, I’d be a bit worried that they may be vulnerable to a hacker replacing their safe file downloads with a malicious one.

          This would be even worse on a public wireless network where somebody could catch your packets on the way to the router.

          • anarchoilluminati [comrade/them]@hexbear.net
            link
            fedilink
            English
            arrow-up
            3
            ·
            3 months ago

            Thanks! I don’t use any identifying information and always use VPN. I don’t care if they get the username/password for that account anyway. So, I hope that helps. Haha But, yeah, not great for security and always try to avoid http.

        • Justice
          link
          fedilink
          English
          arrow-up
          2
          ·
          3 months ago

          In addition to everything already suggested, here’s another really small one: retype the url for the site but manually make it https instead of http

          Most browsers, most web hosts and whatever else now days automatically force everything into https, but if the site is older, not well maintained, or whatever reason the person has, they might be utilizing this type of stuff. There’s basically no reason that a publicly hosted website should not have https that I can think of. Locally hosted stuff, sure, but we’re talking just random ass webpage perhaps found on google or something? It should go to a https url otherwise something funky is going on.

          But yeah, add an s and see. Especially if you’ve (against the advice of your browser and OS screaming) turned off the forced automatic https redirect. I’ve turned it off before while messing with stuff and found there are websites still that don’t automatically redirect to https if you mistakenly type http. Seems wild now days but it happens