Improving personal security for homedistiller web traffic

[engunear]

This post contains some suggestions about how to improve your privacy when using this website - in this post-Snowden world. If any IT gurus are reading this I'd be interested in their comments - I know a little, which can be a dangerous thing.

The bottom line is that if you start going to this website using

https://homedistiller.org/forum/" onclick="window.open(this.href);return false;" rel="nofollow

you will be more secure than otherwise.

Tor
---
One could use an Onion router such as Tor to reach homedistiller. Nobody will know where you are browsing, but Tor is also used for drug dealing and illegal porn, so it will attract attention: not a good idea.

https
-----
When most people go to the home distiller website, they use the http protocol. The web browser on my mac shows the address via Google search as:

homedistiller.org/forum/

though if I copy the address into this thread it comes up as

http://homedistiller.org/forum/" onclick="window.open(this.href);return false;" rel="nofollow

Now notice if you use a search that Google uses

https://www.google.com" onclick="window.open(this.href);return false;" rel="nofollow

... the key difference is the "s" in https vs http.

i.e. Google protect web search content using the https protocol.

https was developed for secure communications - banking originally, but it has become mainstream. (It uses the beautifully named "Diffie-Helman key exchange" ... now thats a phrase to drop at parties!)

Data on the net comes in packets having two parts:
1) Header - having source and destination address. A bit like an envelope.
2) Contents - what the message is about. Think of a letter. Also called "payload".

The header has to be sent in clear text - readable by anyone who can watch web traffic. Othwerise the servers don't know where to deliver the packet, or the the return message if it bounces. So the source and destination of all your homedistiller traffic will be logged - as IP addresses. But are you just reading or admitting to things?

In commercial law in my country if you don't try to protect information it becomes public by default. So if you use http then you have made no attempt to obtain privacy, so you have put the packet contents in the public domain, so I can see a Government feeling free to scan this for anything they like.

The contents of your communications can be encrypted, and this happens when you use https, but not http. Now there is so much https traffic on the web it is going to buried in the sea - along with Google searches and banking - so it wont attract attention like Tor would. Besides, if anyone does get curious it will be immediately obvious why the sender might want this extra security - the whole website is about people who break or contemplate breaking a specific minor law. But a third party would need access to the homedistiller servers to find out what you actually sent, and even then it would be a lot harder. Security is never perfect, you just try to make it too hard to bother.

And if you try

https://homedistiller.org/forum/" onclick="window.open(this.href);return false;" rel="nofollow

your browser will ask you why you trust this site, and request an exception, but then will make a connection for you (or mine does).

I hope the homedistiller servers can keep up with the extra computation for https connections. And like I said, to any IT gurus who want to pick holes in my thinking: careful review is a key to good engineering.

There is also a comment on this website about pulling location data out of posted photographs. Also very sound advice.

[skow69]

Excellent tips (as I understand things, at least). Thanks for posting.

[StillLearning1]

Have any HD members been busted and had their activity on this site used against them before? like as evidence or probable cause or something? Just wondering...

[Od1tspyd3r]

Every thing that you are bringing up is amd arw valid points. Regardless of using http or https your public or isp assigned ip address is still logged in the packet data. The main eadvantage of using https is to secure the information that is being sent from the server to the end user web browser, there by not realy protecting you as your ip is still in the header of the packet.
How ever using tor will provide the ananimoty the most are concerned with, but for kost users the just makes the process of accessing the site a PIA and is technology that the average person will never use aside HD. On another note google chrome does offer an incognito tab that shiuld help those withere there concerns,
But remember there is no tru way to anonymous on the internet some on some were can track you.

[S-Cackalacky]

I tried using "https" and it seems to work ok. I was concerned that it might not maintain the secure connection as I navigated around the site, but it seemed to keep the secure connection. I'm not sure how much protection this offers. You have to remember that most of what you're sending will appear in the forums as plain text for the world to see. The two pieces of information to be concerned about is your password and your email address. The password should already be encrypted (big assumption here), but I know from my own experience that THAT encryption can be easily broken. I'm sure the investigative agencies of the gooberment have all the tools in their toolbox for breaking most encryption codes. Https might add another layer of protection to your password.

So, if someone can decrypt your password, they have access to your profile. If you're wise, the only thing you have in your profile to be concerned about would be your email address. You could somewhat protect your email identity with an email service like "hushmail" which is a somewhat anonymous and secure email service. Now, if you're not so wise, and you have been exchanging PMs with other members and devulging private information, then getting access to your account would give an investigator a wealth of information. So, in that case, your PMs could be your Achille's heel. And remember, If you're not using "https", those PMs could also be read by most any savy hacker.

TOR, in my opinion, is probably false security since the only thing it protects is your IP address. If a hacker can break your password encryption, they basically own all the other behind the scenes information you divulge here. You can be found with an IP address, but in most cases an investigative agency would need to subpena this site and possibly your ISP to trace it back to you. That is, unless they obtain it by some nefarious means. I think at the very least they would need to go to the ISP (if using NAT) to trace it back to the actual computer using it - a lot of trouble unless they're really determined to get you.

Anyway, best advice I can give would be to watch what you do with PMs. If you want to give your address to another member, do it outside the forums with a secure email service such as hushmail.

Just my $.02 worth.

[engunear]

Good comments, people.

There is a point where the techy stuff ends, and the real world starts and that's the line we are talking about. But there are two principles that apply:

1) Security doesn't work, but we still use it. For example, we all lock our houses but someone can still break in with an through a door with axe or a wall with a sledgehammer (I've seen both of those happen, but that is another story.) So why do we bother with locks? If you can encourage the thief to go next door, then the lock is good enough. If we make it hard, then maybe it will be easier to chase dope growers or whatever.

2) If you want peace, prepare for war. This is really a variant on 1)

There is an interesting book called "Expedient Breaking and Entering". Its on Amazon. It will change the way you look at your home security, and maybe how you use the web.

Its all fun.

[Jimbo]

If you want peace, prepare for war.

Yup. Brilliant.

[Od1tspyd3r]

Ok boasting a little, im an offensive security certified IT professional for a living and the only way to truly besecure on line is to not be online... and that all I will add to this conversation. Gentleman use smart practices..

[S-Cackalacky]

Ok boasting a little, im an offensive security certified IT professional for a living and the only way to truly besecure on line is to not be online... and that all I will add to this conversation. Gentleman use smart practices..

Good point. If you want to be here, you need to be willing to accept a certain amount of risk, but minimize those risk by exercising caution.

[goinbroke2]

&@$- em! If the world is so well off that they need to come after a little nobody like me for something as trivial as making something for personal consumption....then bring it on. Ultimately I would lose in court because this is illegal, but after 30 years in the army I do know my way around a mike and how to talk to the media. Certainly not something I would look forward to and would not flaunt it, but this is not meth or kiddy porn either! Upstanding citizen, military, never in trouble before, always paid income tax, etc, etc.
In this area during prohibition, many people made fortunes smuggling liquor into the states and as such, moon shining is quite well viewed here so while open and shut guilty, I know I could get public opinion on my side.

So....$&@- em! I,ll make my little bit and take my chances. My concern with my info on the internet would be more about my credit info, bank info, ss #.