just gratitude and beginners babbling really :)

hi there. wanted to say thanx for running such an awesome service first of all, explain a little about how i got my setup currently rigged and maybe ask a question or 2 if thats cool.

basically i'm currently sending an ssl wrapped,network locked airvpn through my killswitched tor snoop box,so that i can change tor exit points easily each time i start up my ubuntu gaming rigg and avoid at least some of the latency lost if the exit point of the tor chain were further away. i've also got my browser dns rigged for https quad9 (coz i'm naturally paranoid) lol.

the first question i had was aside from obviously not torrenting while i have things setup this way round, are there any further security no no's for a largely uneducated laymen like me to be aware of?

the second question i had though isn't anything to do with my setup in a practical sense, i was just curious why most vpn providers still use 4096 rsa keys when u could use stronger keys running the likes of openssh on your own server.

obviously i know very little about how you would go about running and hardening your own ssh setup, just couldn't help wondering

the first question i had was aside from obviously not torrenting while i have things setup this way round, are there any further security no no's for a largely uneducated laymen like me to be aware of?

A sense of false security is worse than no security at all. Ask yourself: For the purpose of playing a few rounds of CSGO/Apex/whatever with my friends, do I really need Tor in between? As a layman, do I really need such a complicated networking setup? Remember that 20% of effort accounts for 80% of the effects, the other 20% not addressed are likely in the targeted attacks category already.
the second question i had though isn't anything to do with my setup in a practical sense, i was just curious why most vpn providers still use 4096 rsa keys when u could use stronger keys running the likes of openssh on your own server.

RSA is not used in the encryption of either the control or the data channel of OpenVPN, so using 8192 bits won't raise security at all. All those keys are doing here, as they do in OpenSSH, is identity authentication, or the answer to the question: Is this key known?
Besides, if you want to upgrade your SSH game, don't increase RSA key size, consider using Curve25519 altogether, in OpenSSH known as ed25519; quicker to work with but very similar strength despite much smaller key sizes.
obviously i know very little about how you would go about running and hardening your own ssh setup, just couldn't help wondering

Are we talking about SSH or OpenVPN here? Forum is "General & Suggestions", so I assumed OpenVPN.


i should have been more clear in how i asked my questions n phrased stuff with how/why i've set stuff up this way,my fault entirely.

i'm mostly just using ssl air through tor in order to protect my clearnet activity,as i tend to prefer clearnet search results to the purposefully obfuscated n sometimes scary results you can get with the darknet search engines.

didn't mean i was gonna play online with all this encryption, i mostly just play offline AAA stuff on steam anyways. only mentioned ubuntu to highlight how i prefer to use it to set my tor exit relatively local.

thanks for the info though, i had no idea rsa was only to authenticate keys and not encrypt data.

one more thing though, would i be correct in assuming that if i use one of the more uncensored clearnet search engines out there, i'd still technically be accessing the less indexed deep web sites, but not the onion dark web?

i get a little muddled in my definitions

one more thing though, would i be correct in assuming that if i use one of the more uncensored clearnet search engines out there

Define censorship. As long as you can find what once happened on Tiananmen Square in China, who Snowden is and footage from LiveLeak, nothing is censored. You may even find explicit pornography and scenes of murder on Google and Bing nowadays. What you won't find is child porn, but I'd be very careful in calling this an act of censorship.
i'd still technically be accessing the less indexed deep web sites, but not the onion dark web?

It's in the nature of the deep/hidden web to not have been indexed. That's why it's called hidden. No amount of "uncensored" search engines will help you here since they all work in a similar way. Some info simply can't be indexed for search engines, like databases. But it is true, DuckDuckGo won't ever find info on .onion hosts. It may find mentions of .onion addresses in the clearnet, though.


The RSA key is essential to encrypt the TLS hansdhake See also https://security.stackexchange.com/questions/205184/when-is-an-rsa-key-used-in-tls-handshake

RSA keys smaller than 2048 bit are considered insecure and currently 1024 bit RSA keys can be quickly cracked. 2048 bit size is considered secure, while 4096 bit size is so secure that further increasing this size is not recommended nowadays, as it would increase dramatically handshake time and computation load (a thing that becomes relevant on the server side where you might have suddenly a hundred of handshakes concurrently).

Some search engines perform good attempts to index onion hidden services, although you can't be guaranteed you'll find everything there is in the hidden web.

While search engines like Google Search index more than 70% of all the estimated 3 billion pages of the "surface" Word Wide Web, which in turn is estimated to contain less than 1% of all the information on the Internet (less than 1% might sound insufficient but it is anyway a huge amount), you should expect lower efficiency in search engines like https://darknetsearch.io - also consider that the "Deep Web" (which the onion services are a small fraction of) according to some researchers is about 500 times bigger than the "surface" web (other researchers claim it's 40 times bigger, not 500).

wow man. i had heard about lower rsa key strengths being crackable now which is kind of why i was curious.
must admit though reading anything about how vast the deep web actually could be compared to what most joe publics see in their day to day google usage just melts my brain lol.

as for me bringing up the subject of censorship, i never meant all evil shit should be a free flowing thing. bringing up the subject of child porn is a straw man argument to me. the dictionary definition of censorship should be free of ideological interpretations, just saying :P

Actually, early child porn censorship is catastrophic, because:
  • it warns criminals that their content has been detected and become a target, allowing them to put in place early counter-measures which may compromise future investigations and cause more atrocious sufferance to the victims
  • it is seen as an early and urgent mitigation measure, sufficient by itself, de-prioritizing or cancelling victims identification and arrest of criminals
  • it is used as political fluff to show the public that effective actions are performed

According to the above, the investigations must follow the opposite direction, that is: FIRST you try to identify and put the victims to safety, follow the cash flow and arrest the criminals, investigate further ramifications and perform additional arrests; THEN, as a very final stage when nobody can be prematurely alerted anymore, you censor the content. Relying on censorship is once again plain stupid or hints to connivance. And always be very careful when someone wants to suppress some human right in the name of "child protection", "security against threats of any kind" and so on and so forth, because History teaches that such actions imply a sinister, hidden agenda.


shit dude. the knowledge u just dropped there kind of freaks me out man.
i mean in one fell swoop u just did 3 crazy things for my head n questions i had.

1) highlighted why theres a reactionary impulse to fake rendered shit that may be tasteless but doesn't involve any human victims
2) why thats not really doing shit to help actual victims
3) how the system tends to operate broken on purpose, not even stopping these evil as fuck gangs that operate proper child porn sites, instead opting to gaslight the masses

thats heavy shit man. i don't pretend to know even half the behind the scenes knowledge that u clearly read into....MIND BLOWN

