Will everyone finally acknowledge that TOR hidden services are not suitable for darknetmarkets??

After SR1 went down, there was a lot of talk about the security of TOR, and whether or not hidden services were vulnerable to various attacks on the network. I was among the voices suggesting that LE would deanonymize any hidden service they so choose, given enough time. Quite predictably a lot of people didnt like this, the chorus of "TOR hides your IP, they cant break the encryption!" was deafening.

But in the wake of todays events, shouldnt the community now recognize the obvious? TOR hidden services are not safe. Given enough time, LE can use two malicious nodes set up to perform timing attacks to deanonymize a hidden service. And given enough time, this attack can almost always be effective.

Not only that, but they can use a similar attack to deanonymize a small percentage of users of a hidden service. A malicious Hidden Service Directory, along with a malicious guard node, can reveal the IP of any machine connecting to the HSDir through the guard node.

Tor markets are not safe. The only safe way to use TOR to conduct this business is through direct deals using tor + noscript friendly email + PGP. And I know that half of these people here are afraid of operating out of escrow, but if thats the case you really need better vendors.

Not to mention, what protection does escrow really give when LE brings the hammer down? The community needs to move away from markets entirely.


Comments


[4 Points] ignig:

Or until someone innovates something completely new. LE understand the Dark Net now.

You gotta adapt.


[2 Points] R4ID:

they nabbed DPR2 because he used a gmail at some point to register for the servers... im not saying we shouldn't adapt or evolve..(im always D for that) but u should really wait a few days and let all the facts/dust settle before making bold claims


[2 Points] futuredracula:

or you could read and comprehend and see that this bust was due to UCs, if it was so simple to deanonymize they'd be doing it. the u.s. govt wants people to use tor so CIA assets and such have some kind of cover.


[1 Points] None:

I would go i2p but it's complicated as fuck and my favorite vendors aren't on it.


[1 Points] sharpshooter789:

DPR2 made tons of mistakes. It probably wasn't difficult to track down the servers.