Israel Helton Wernik

I'm a Cyber Researcher and Python Programmer.

Communicating Privately & Anonymously

16 Oct 2019 »

Using Email

Fake identity

First, to send email anonymously you will need a fake identity, there are a lot of websites that create a fake identity You should always use this information whenever you signing for any service on the darknet and clear-net and this will be your identity.

Fake identity website example

https://elfq2qefxx6dv3vy.onion.ws/fakeid.php?gender=f

You need to be sure Never use your darknet identity on the clear-net

  • Never log in from clear-net.
  • Never communicate with accounts you own.
  • Never use on the clear-net.

Email Services

Temporary Accounts

There are many email services with temporary accounts Now the main disadvantage with these email accounts is that they are relatively easy to break into. So you want to be careful about that but if you’re using encryption then even if someone reads your messages your data should be secure and encrypted as long as your keys are encrypted.

But that’s something to talk about for another post The good points of this kind of email services.

  • Temporary email account with an expiry date.
  • No setup.
  • No personal information required.
  • Lots of services on the clear-net and darknet.
  • http://grrmailb3fxpjbwm.onion/
  • https://www.guerrillamail.com/
  • https://tempmailaddress.com

Huge list of other providers - https://gist.github.com/michenriksen/8710649

Clear net Private Focused Mail Providers

The next type of e-mail service that I want to talk about is e-mail services that are focused on privacy and anonymity. So unlike temporary e-mails, these are proper e-mail services that will give you a proper e-mail your inbox will never expire.

You will sign up and log in with a password similar to the way you sign up and logon to the e-mail services that you’re familiar with.

But unlike Gmail and Hotmail and all of these services that collect a lot of data about you, privacy-focused e-mail services collect no data they don’t store any logs and they don’t track you.

The good ones would be used in end-to-end encryption.

The bullet points are:

  • No tracking.
  • No logs.
  • End to end encryption.
  • No personal information required.
  • Available on the clear-net and as an onion service.
  • Send emails to clear-net and darknet addresses!

Reminder to:

  • Always read terms, privacy policy ….etc
  • Never use your real identity.

Example:

  • Proton Mail - https://protonmail.com/
  • Tor Service: https://protonirockerxow.onion/login

The proton mail is good because

  • No tracking.
  • No logs.
  • End to end encryption.
  • No personal information required.
  • Open Source.
  • Enforces HTTPS.
  • Available on the clear-net and as an onion service.
  • Use their own servers in Switzerland.
  • Communicate with clear-net and darknet addresses!

The only problem with them is that they operate both on the clear and on the darknet. They are properly known companies and therefore sometimes they comply with court orders and might be influenced by agencies and so on.

Darknet Mail Providers

To use Darknet Mail providers will become a little bit harder to use and will, have fewer features but they will become more private more secure and therefore more anonymous.

They’re less likely to be influenced by agencies and so on because all of their servers are in the darknet.

By default the benefit from Tours anonymous housing and privacy features they all use encryption

The bullet points are

  • No tracking.
  • No logs.
  • No personal information required.
  • No javascript requires.
  • Available on the darknet only.
  • Benefit from TOR’s anonymizing and privacy features.
  • Encryption.
  • Two types:
  • Communicate with clear-net and darknet addresses!
  • Communicate with darknet emails only!
  • Temp mail - http://grrmailb3fxpjbwm.onion/
  • Proton Mail - https://protonirockerxow.onion/login
  • Torbox - http://torbox3uiot6wchz.onion/
  • Elude - http://eludemaillhqfkh5.onion/
  • Riseup - http://nzh3fv6jc6jskki3.onion
  • Mail2tor - http://mail2tor2zyjdctd.onion/

A full list (keep in mind links might not work if they don’t then look for the service name in search engines or in link directories) https://www.reddit.com/r/onions/comments/6krt34/list_of_onion_email_providers/

How to choose

All of these types can be very very useful because you’ll be able to pick which is best based on your scenario.

Reminder: Less Features is more Anonymous

ServiceExampleCommunicationJavascriptLogging &
Tracking		Hidden
Service		Encryption
Common ServicesGmailClearnet & DarknetYesHighNoHTTPS/TLS
Temp EmailsGuerrillaMailClearnet & DarknetYesMediumLimitedHTTPS/TLS
Privacy-focused
(hybrid) Services		ProtonMailClearnet & DarknetYesnoneLimitedHTTPS/TLS
& End-to-end
Darknet
Services		Elude /
Torbox		Clearnet & Darknet,/
Darknet Only!		NononeYesend-to-end

Instant Messaging

OK so now that we know how to use e-mails to communicate on the darknet privately and anonymously the other method of communication that you might want to use is instant messaging.

Now when it comes to instant messaging there are a number of applications that we can use to do this. Such as WhatsApp and Viber.

And again similar to everything we spoke about so far a lot of these apps are not private and not secure.

So a lot of them log what you do. They track what you do they track your messages they track the users that you talk to communicate with some of them have permissions to read your messages.

Not only that even the apps that claim that they use encryption and they are private such as WhatsApp we don’t really know how this is implemented and We can’t see the code.

So there are even rumors that the end to end encryption in WhatsApp is not 100% secure and Facebook might be able to read the messages that get sent.

Now you’ll face this issue with everything that is owned by one specific company because a lot of these companies don’t share the code used on their programs.

So at the end of the day, you will just have to trust them.

And again putting all of this to the side even if the apps are 100% secure and even if they are 100% private these apps are installed on operating systems that are not secure and private such as Android, IOS, Windows and so on and all of these operating systems log data and track their users.

Therefore if you want to protect your privacy and anonymity it’s a better idea to, first of all, use an operating system that is more private than other operating systems such as TAILS we cover on another post.

XMPP

The next thing that we want to do is to use an instant messaging service that is more private and to do this we’re going to use the XMPP protocol.

This is a free and open protocol that is not owned by anybody, So it’s not controlled by a single company.

Free & open.

  • Not owned by anyone.
  • Decentralized.
  • Useable through Pidgin messenger in Tails.
  • Enhance privacy using OTR.
  • Widely used on the darknet.

XMPP is decentralized so anyone can run their own server and you can even use your own server to set up an account.

Here you can see a list of public XMPP servers.

Lest use, for example, the dismail.de services, go there, register an account with your fake identity, and after that, you can use this service with TAILS to communicate privately.

You can create one account with one XMPP server, and communicate with any other XMPP server.

Pidgin

​ is a free and open-source multi-platform instant messaging client, based on a library named libpurple that has support for many instant messaging protocols, allowing the user to Pidgin simultaneously log into various services from one application. On the TAILS OS, Pidgin is already pre-installed, and after it is supposed to use TAILS as a live system is good to be pre-installed. ​

  1. On TAILS click on Applications -> add -> XMPP protocol
  2. put the Username you create on dismail.de
  3. Domain: dismail.de
  4. password you create
  5. click on add
  6. To Add a friend click on buddies -> add Buddy on buddys username: you put the email, like xyz@jabber.system.org ​

For now, you send a message that is going through the TOR network and go out to the XMPP server, to be only on TOR network, you need to use the Tor hidden service of the XMPP on the list. ​

  1. Go to Accounts -> modify -> Advanced -> connect server put the hidden server. ​

The only problem is that you can see a red “Not private” button warning on the bottom, its because the connection is not private. ​

Now TLC is used to there is a layer of encryption but it does not end-to-end encryption, So what that means is it means you will be able to read the message and also the server will be able to read the message and the receiver will read the message. ​

And ideally, we want to use end to end encryption, only you and the receiver will read the message. ​

Configure Pidgin to end-to-end encryption

You can use a plugin called Off-the-Record (OTR) Messaging allows you to have private conversations over instant messaging by providing: ​

  • Encryption - No one else can read your instant messages.
  • Authentication - You are assured the correspondent is who you think it is.
  • Deniability - The messages you send do not have digital signatures that are checkable by a third party. Anyone can forge messages after a conversation to make them look like they came from you. However, during a conversation, your correspondent has assured the messages he sees are authentic and unmodified.
  • Perfect forward secrecy - If you lose control of your private keys, no previous conversation is compromised. ​

    Enable OTR

    1. Go to Tools -> Plugins -> Off-the-record-messaging and check
    2. go to config and make sure to enable all checkboxes on default OTR settings
    3. To communicate privately, click on chat -> OTR, and on the “Not private” warning and make private. wait and Voila, you have a private messaging ​

So we bypass the private problem now. ​

But you can see your communication is unverified with the Yellow Unverified warning on the bottom. ​

Verify contacts

​ The only problem that we have is you can see here at the bottom that it’s still telling us that communication is unverified so it is private but it’s just unverified. ​

And what’s meant by this is right now we’re still not sure that the person on the other end this person is who they’re claiming to be. ​

What if someone managed to hack into this person’s account or what if someone has managed to impersonate this account. ​

So how can we be so sure that the person using this account is the person that we want to communicate with? ​

So this is what the warning is telling us we haven’t verified the person on the other end. ​

And I want to show you a number of methods on how we can do this. ​

  1. Click on the Unverified button -> Authenticate Buddy.

There you have many options, like a

  • personal question
  • shared secret
  • manual fingerprint verification ​

File Management & File Sharing

Firefox Send file services.

If you share a file, you first need to clean the metadata, on TAILS is very easy, just a right button click and select clean metadata. ​

Open the TOR browser an go to send.firefox.com

Firefox Send lets you share files with end-to-end encryption and a link that automatically expires. So you can keep what you share private and make sure your stuff doesn’t stay online forever. ​

When you create a link to the encrypted file you can see the URL has the key, and this key is generated by a client-side, so firefox doesn’t have this key and can`t see the content of the file.

​ But we know the file is encrypted and decrypted on the client-side, so the server does not know the decryption key.

​ But we can’t really trust that this code will never change.

​ What if a hacker gains access to Firefox servers and modifies the way this code works, so we still have to trust that server. ​

Now one more thing to add for the service to work it uses client site code to encrypt and decrypt the files. ​

Therefore you need to have your security settings on low or medium to work because the client’s site code that will do all of this work is javascript code and the high-security level as we know disables javascript, therefore, you might not want to use a medium or standard security setting because it doesn’t fit your threat model.

​ So again this will be another problem with using this service but in general, if you have something that is not very sensitive then this could be a nice and quick way to share files. ​

Peer-to-peer - OnionShare

OnionShare is an open-source tool that lets you securely and anonymously shares a file of any size.

  • Peer-to-peer.
  • Files stored locally.
  • End-to-end encryption.
  • More private.
  • Benefits from the TOR Network’s anonymity. ​

To use this on TAILS is very simple, Righ clicks on the file and “share with OnionShare” and then you will have an onion-share URL link on .onion domain, now you can send the link on a secure message or mail service. ​

You can go to onionshare and stop sharing, so the link will be no more work ​

You can start and stop sharing them anytime you want. ​

With this method, The files will not be placed in any computer that you do not have control over.

Thanks to: https://www.udemy.com/share/1022QQAEsfeVpWTH4=/