• TheparishofChigwell@sh.itjust.works
    link
    fedilink
    arrow-up
    3
    ·
    15 days ago

    I tried looking at dreadforum to see how markets work nowadays and found out in a minute I was viewing a mirror that was injecting links

    I think I’ll just ask a dude on the street at this point

    But then again I am in a country where that would work with 0 negative consequences for me as the user

    • hirihit640@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      3
      ·
      15 days ago

      Doesn’t dread’s captcha force you to check the url? Afaik it makes you fill in specific parts of the url, so that you check that the url you are using is the same one they are using. Curious how the mirror was able to bypass that.

      Regardless I just spent some initial investment saving the pgp public keys and making sure they are legit, so that I can use them to verify dread’s mirrors.txt whenever needed. Faster than walking out to the street imo

      • TheparishofChigwell@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        13 days ago

        It’s my first actual visit, and I did what apparently is the obvious faux pas

        I googled for dreadforum link, was pointed towards one shown at https://dreadforum.io/

        I entered it into tor browser, no captcha was shown and I landed directly on the site/mirror.

        The one post I read, something concerning validation and opsec on markets or dreadforum, had an explanation that if the text they wrote in hyphens differed from the url right under it I was already viewing a mirror, as they spelled out a link.

        That was true, the url shown was darkmyurl dot com instead of the actual link spelled out hyphenated.

        I was humbled, and have now learned that even asking for the true php keys from you right now is submitting to defeat. The only good opsec seems to be your own

        • hirihit640@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          2
          ·
          5 hours ago

          honestly, I wouldn’t be so hard on yourself. This stuff is way harder than people think. People don’t realize how hard it is to establish trust starting from none. Normally you type a website into Google, and Google has already done the work for determining which website is the legit one and which is the shady phishing site, and will filter out the shady site. This convenience does not exist for darknet sites, so you just have to establish trust yourself.

          even asking for the true php keys from you right now is submitting to defeat

          not necessarily. You can get the pgp keys from random strangers online. It’s just not the only source you should rely on. Get it from multiple sources and then verify if they are all the same. If they are, think to yourself how likely it is that all 3 sources are actually the same attacker giving you a fake key.

          DM me if you’re actually interested in the pgp key and I’ll dig it up from my notes