• FumpyAer [any, comrade/them]@hexbear.net
    link
    fedilink
    English
    arrow-up
    7
    ·
    edit-2
    3 months ago

    You should never be on a regular http site though and every browser has a scare page or a red alert icon in the URL space telling you not to. Simply listen to it and don’t go there.

    Tor with JavaScript disabled is one of the most secure and private tools we have, since it protects against browser fingerprinting.

    Don’t go to sites without https under any circumstances.

    Edit: you can enable https only mode on Firefox or Tor browser using these instructions: https://support.mozilla.org/en-US/kb/https-only-prefs#w_enabledisable-https-only-mode

    • FumpyAer [any, comrade/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      5
      ·
      3 months ago

      And I agree with the other part you said about not using clearnet accounts on your Tor browser. That’s arguably more important than Tor vs Mullvad vs tor + vpn distinction.

    • lurkerlady [she/her]@hexbear.net
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      3 months ago

      So like, unless youre really digging into wireshark or something over a long time, you really dont know what connections are encrypted or unencrypted coming from your OS. Thats more what I’m referring to. Certain OSes like whonix have safeguards for this, and linux in general is much better about this. Its hypothetically possible a malicious actor could hijack an operation that isnt encrypted coming from your OS to bork you.

      And yeah tor browser on its own without JS and high tracking prevention is the way to go if you dont want a big hassle dealing with your OS. I was more referring to TORing all of your computer traffic, which should only be done with specific OSes. Mullvad browser with vpn is fine for the vast majority of people and it doesnt reduce speed a lot like TOR does.

      • FumpyAer [any, comrade/them]@hexbear.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        edit-2
        3 months ago

        Any sensitive data you submit or get served on that site can be intercepted, read, or possibly changed on the way to you (called a “man in the middle” attack). Including your location data, credit card info, username, password, etc.

        A vpn could mitigate this somewhat, but it would still be unencrypted between their network out point and the site’s server.

        I’d also call it a red flag in terms of their security. If they aren’t competent/diligent enough to implement SSL encryption, I’d be a bit worried that they may be vulnerable to a hacker replacing their safe file downloads with a malicious one.

        This would be even worse on a public wireless network where somebody could catch your packets on the way to the router.

        • anarchoilluminati [comrade/them]@hexbear.net
          link
          fedilink
          English
          arrow-up
          3
          ·
          3 months ago

          Thanks! I don’t use any identifying information and always use VPN. I don’t care if they get the username/password for that account anyway. So, I hope that helps. Haha But, yeah, not great for security and always try to avoid http.

      • Justice
        link
        fedilink
        English
        arrow-up
        2
        ·
        3 months ago

        In addition to everything already suggested, here’s another really small one: retype the url for the site but manually make it https instead of http

        Most browsers, most web hosts and whatever else now days automatically force everything into https, but if the site is older, not well maintained, or whatever reason the person has, they might be utilizing this type of stuff. There’s basically no reason that a publicly hosted website should not have https that I can think of. Locally hosted stuff, sure, but we’re talking just random ass webpage perhaps found on google or something? It should go to a https url otherwise something funky is going on.

        But yeah, add an s and see. Especially if you’ve (against the advice of your browser and OS screaming) turned off the forced automatic https redirect. I’ve turned it off before while messing with stuff and found there are websites still that don’t automatically redirect to https if you mistakenly type http. Seems wild now days but it happens