TOR HIDDEN SERVICE

http://vaultu7dxw5bbg37.onion


The hidden service

To protect our users privacy and security, we have set up a Tor hidden service. If you use Tor to access LiteVault, it's EXTREMELY IMPORTANT that you use our Hidden Service URL rather than accessing the normal URL. Below you will find an explanation of what can happen if you continue to use the regular URL over Tor, and why our hidden service protects you from this.


The Problem

When you request a clearnet (non .onion address) through Tor, the request goes through three (can be changed) tor relays, one of which is an exit node.

The first node knows your IP address, but they can't see what you're sending (it's encrypted), the exit node does NOT know your IP, but they CAN see what you're sending (they can decrypt it). This allows the exit node to forward your request to the server you're accessing (e.g. litevault.net).

Not only can the exit node see your traffic, they can also manipulate it. This means it's possible for them to serve you a non-SSL version of our website, bypassing our measures to prevent that happening.

WITHOUT Tor, your browser saves a header we send called HTTP Strict Transport Security, or HSTS for short. This header tells your browser to NEVER try to access LiteVault without SSL, and if the SSL certificate changes (our proof that we are the real owners of LiteVault.net), you will get a big warning telling you that something bad is happening.

The problem with Tor happens primarily due to the Tor Browser Bundle. The Tor browser is configured to be highly anonymous, but because of this, it does NOT remember HSTS headers. This means once you close Tor Browser, it forgets that we told it to NEVER try to access our site without SSL. This means even if you've accessed the site using SSL previously, if you close the browser and come back at another time and your first request to the site goes through a malicious exit node, they can send you a fake version of LiteVault, or even inject malicious Javascript to steal your passwords, as well as modify our Javascript to remove any safeguards.


The solution

To solve this problem, we now detect users who are accessing our site on the clearnet via Tor and we show them a big red banner informing them that they are NOT secure, and that they must use our hidden service to prevent them losing their coins.(See image below)

Unlike clearnet URLs (like LiteVault.net), Tor Nodes CANNOT manipulate hidden services. This means when you access our site via the official hidden service URL (vaultu7dxw5bbg37.onion), your connection is fully encrypted from your browser, to our servers, and cannot be intercepted or modified by malicious Tor nodes.


The short of it

If you’re using Tor to access LiteVault, use the hidden service url. If you don’t, you risk your wallet being stolen.