Hello.
Is Whonix using a tor browser or what? Because I need to do a purchase but it is recommended to not be on a tor browser because of possible attacks on the tor exit node… However, I still want to login on my account and all that anonymously.
Thanks!
Good day,
To protect users from fingerprint based tracking, Whonix uses the Tor Browser Bundle as its main browser.
That has nothing to do with the Tor Browser Bundle. The Tor Browser Bundle, as the name suggests is just that a browser. It doesn’t change anything about Tor or the way Tor is implemented, so exit node based attacks are the same no matter which browser you use. Whoever recommended this is wrong.
Have a nice day,
Ego
Thank you so much for the reply, I really appreciate it. Hmmm, here is what they say:
Is using a Tor browser safe?
If you are not a tech-savvy user we recommend avoid using a Tor browser when purchasing Bitcoins. When using a Tor browser you are at risk for man-in-the-middle-attacks by malicious Tor exit nodes. A malicious Tor exit node intercepts the traffic between your computer and LocalBitcoins and then steals your Bitcoins.
If you want to maintain safety and privacy we recommend purchasing Bitcoins in LocalBitcoins using a normal web browser. After the purchase send Bitcoins to a desktop application wallet from where you can make further payments.
See Bitcoin wallet alternatives for your device.
Read more about maintaining your security.
LocalBitcoins has witnessed high attack rates against Tor users. Tor exit nodes intercept HTTPS traffic by doing HTTPS man-in-the-middle attacks with self-signed certificates.
Read research by Tor authors about the malicious Tor exit nodes.
Two-factor authentication and other normal security measures does not protect against traffic interception attacks as the attacker can modify Bitcoin send requests to go to a wrong receiving Bitcoin address.
I do not know if I made their point clear but here you can see. Aren’t they saying that I should not use tor if I wanna avoid get something stolen?
Good day,
I see that you’ve gotten this from LocalBitcoins. What they are essentially saying though is the following:
Since there could be attacks based on malicious exit nodes, don’t use Tor at all. That means you cannot be anonymous when buying BTC via the method they recommend. The rest they wrote is very plainly not correct.
First of all, they sometimes write about a “Tor browser” and sometimes just “Tor”. They likely meant the Tor Browser Bundle, which includes Tor as well as a browser designed for Tor. Just using said browser without Tor in any way is no different to using any other browser, so any attack based on Tor does not apply if we are just talking about a “Tor browser”. That’s why they change to talking about Tor at the end.
Secondly, they claim that “to maintain safety and privacy we recommend purchasing Bitcoins in LocalBitcoins using a normal web browser” but, as mentioned, ANY browser can use Tor as a connection making this completely nonsensical. The likely mean “normal internet connection” without Tor, instead of a “normal web browser”, as that would actually be correct. Though that wouldn’t, as they say, “maintain safety and privacy”, as it would be neither safe, nor private, due to your IP being known to them.
They further claim the following:
This is likely one of the most wrong statements I’ve read on Tor in quite some time. Exit nodes are NOT capable of reading your HTTPS encrypted traffic and they do not in any way employ self-signed certificates to do so. A few antivirus solutions. You can see the fact that Exit nodes CANNOT do this via this nice graphic, by selecting Tor and HTTPS and seeing how the last relay cannot read your password or traffic in any way: How HTTPS and Tor Work Together to Protect Your Anonymity and Privacy | Electronic Frontier Foundation
In the next sentence, they even admit that what they claimed wasn’t the case when they provide a link to inform yourself:
What they’ve linked there is the MITM section of the Tor Blog, in which the following is written:
In addition, TorBrowser ships with HTTPS-Everywhere which by default attempts to connect to some sites over HTTPS even though you just typed “http://”. After all, as we said in the past, “Plaintext over Tor is still plaintext”.
Like mentioned, Tor Exit nodes CANNOT read HTTPS encrypted traffic which is the reason the Tor Browser Bundle includes HTTPS-Everywhere to enforce HTTPS.
So, the person who wrote this didn’t just not know what he/she was writing about, no, this person actually even linked to information which proves them wrong, but still wrote this nonsense anyways.
As long as the connection you are using is secured via SSL, an exit node has no way of intercepting that traffic. If it where, we would have a multitude of issues.
Have a nice day,
Ego
WOW THANK GOD! That is really a good answer to my question, wow. You really made every section clear. However, you said: [quote=“Ego, post:4, topic:3478”]
Since there could be attacks based on malicious exit nodes, don’t use Tor at all. That means you cannot be anonymous when buying BTC via the method they recommend. The rest they wrote is very plainly not correct.
[/quote]
So since you only can purchase BTC when signed in on your account, I will have to be signed in on the account on my real ip which means that the account will after that always be revealing my true location…and therefore there would also not be any point in using tor after that for handling things on the account, like sending BTC. Does this mean that I simply have to drop being anonymous(when it comes to ip) when using this service or what is your thought. Again, I really appreciate your time!
Good day,
Yes, very much. The old rule of don’t mix non anonymous and anonymous connections applies in this case: Tips on Remaining Anonymous
Thing is, I don’t know what their stance is on accepting people who create and use their account solely via Tor, so I can’t tell whether there is an option of using it somewhat securely. If you have the ability, use a local Bitcoin ATM or some other local method of obtaining BTC: Anonymous Money
Have a nice day,
Ego
You are really the best! Thank you so much, nice to have people like.