News Feed
  • DrugHub has agreed to fully refund all users who lost money in the SuperMarket exit scam.  
  • Retro Market has gone offline. Circumstances of the closure unknown.  
  • SuperMarket has closed following an exit scam by one of the admins.  
  • The admin of Incognito Market, Pharoah, has been arrested by the FBI several months after exit scamming.  
  • Silk RoadTorhoo mini logo
  • darknet markets list
  • Popular P2P exchange LocalMonero has announced it is closing.  

Be careful with the XMPP - leakage MITM possible : OpSec | Torhoo darknet markets

You can follow any advise on the client XMPP setup but the main issue with the protocol is not your endpoint. The issue is the is the XMPP protocol and related infrastructure.

There are two things you wana conceal:

1. the content of the message (privacy setup),
2. your identity (anonymity setup)

Don't mistake those two please.

Privacy
is ensured on XMPP with the OTR or OMEMO encryption. The issue is that the key exchange in between the communication parties is not foolproof. You both MUST check the fingerprints through a separate secure channel. This is in large scale not practiced. If you don't check it right, the underlying infrastructure of the XMPP allows the adversary to MITM you and read your messages.

Anonymity
is ensured with Tor here. Tor tries to conceal you IP only and nothing more. But Tor, as a low latency network, cannot protect you from revealing your behavioral patterns, your social graph, your login and log out time, the number of messages sent and received at any time, the sender and receiver of the messages, their precise volume and so on from the XMPP server and any adversary that can monitor that server.

Our advice is - don't use XMPP if possible at all and use something more resistant like SImpleX, Briar, CWTCH... and similar solutions that mitigate those leaks and diminish or even make impossible those related attacks from the active as well as passive adversaries.

Fly safe!
Asfaleia Security Consulting
/u/PeevedPlatypus
2 points
1 year ago
Can you explain what makes the ones you suggested (SImpleX, Briar, etc.) more capable of mitigating those attacks? Assume I have very little technical knowledge when it comes to this subject and need it explained to me like I'm an idiot.
/u/JasonWallace
1 points
1 year ago
Yeahh, assume I don't know anything. I definitely do know it but just for everyone else can you explain it for idiots
/u/asfaleia 📢 ⚔️ασφάλεια⚔️
1 points
1 year ago
Sure.

SimpleX in general:

- No user IDs, no identities, therefore not possible to spy on "user" by an adversary. From the design, there is no user.
- unidirectional messages, outgoing messages goes through different channel as the incoming messages
- Incognito mode, for every contact you get in touch with it seems like you are someone else. No social graph available.
- message integrity verification, if the adversary would be able to add a message, SimpleX protocol finds out locally and alerts you
- message mixing, Tor network is a low latency network and an observer can correlate the messages flowing through the Tor network. SimpleX mixes the messages so it is not FIFO but if 5 messages come in the queue it can esily get our of the queue in 2, 5, 1, 4,3 4order, frustrating the timing analysis
- Content padding, where every message is padded to have the same size, frustrating the message size analysis

Briar and CWTCH are pure P2P protocols and while excluding servers from the process, the disadvantages comparing to SimpleX are significant. Both use unique, IDs, don't do any message mixing, no content padding, no incognito mode, no unidirectional messages. It can of course be used but only for specific situations.
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
1 points
1 year ago
Simplex is a centralised & proprietary. Why are you pushing it so hard? Why not put this on -> /d/simplex where it belongs?
/u/asfaleia 📢 ⚔️ασφάλεια⚔️
1 points
1 year ago
Educate yourself more. OpSec related stuff belongs here. The article is not about SimpleX but about the dangers of XMPP protocol. Does the XMPP belong to simplex sub?
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
1 points
1 year ago
Educate yourself more. OpSec related stuff belongs here. The article promotes SimpleX by sporeading FUD about the dangers of XMPP protocol. Does the XMPP belong to XMPP sub?
post it here, like you know you should (you can crosspost to OpSec too) -> /d/xmpp
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
1 points
1 year ago
Are you a sockpuppet account set up by /u/Asfaleia to generate a fake dialogue about this topic? move it to -> /d/simplex
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
2 points
1 year ago
FUD?

You are not an "our" or an "us" or a "we", please stop pretending that you are - it's irritating and untrue. You are not an infosec group.

DO NOT ADVISE PEOPLE TO USE CENTRALISED PROPRIETARY APPS OVER XMPP, THEY ARE NOT SAFER AT ALL EVER.
/u/asfaleia 📢 ⚔️ασφάλεια⚔️
1 points
1 year ago
Stop spreading bullshit. SimpleX, Briar and CWTCH is Free and Open Source. Those are in no way proprietary. As a clairvoyant, knowing who is who on the darknet, you should know that basics ;)
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
1 points
1 year ago
Well, I knew you'd bite eventually... but you started spreading the FUD about XMPP with a low effort no-technical-content post.
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
1 points
1 year ago
https://www.youtube.com/watch?v=aIWai4acAhw

I never claim to be a clairvoyant, and that's not what clairvoyants do anyway, but simple 5 minute search would tell you
that /d/simplex is funded by Big Tech venture capital -> "you should know that basics": /post/152c0bb58baab881c039

The US government funds Cwtch and Briar via proxies, but you and your imaginary consultancy should know that.

Post your claims with specific supporting technical sources on /d/xmpp like this /post/f8a7443f6e921a2115da
...and stop ranting and panting, claiming and flaming like an amateur police neckbeard.
/u/asfaleia 📢 ⚔️ασφάλεια⚔️
1 points
1 year ago
You are a very desperate LEO. No bonuses for you guys. Educate more, you are making an idiot out of yourself, again.

You spread bullshit about proprietary and centralized[/b character of SimpleX, Briar and CWTCH. You have no idea what those therms mean. So again and slowly - all of the above tools are fully opensource (not proprietary) and decentralized (not centralized). Period. You spread FUD and bullshit because [b]you don't understand total basics.

Now when your bullshit argument about the SimpleX, Briar and CWTCH being proprietary and centralization fails you come up with the bullshit financing of the projects. Another irrelevant bullshit.

All the above projects clearly state their financing sources. Not different from the Tor you use to spread this bullshit here. Tor is created and funded by the US government to enable their agents in the field to communicate securely. Everyone else is just a decoy.

None of it matters. The main point is if it is a free and opensource code. And it is free and opensource. This is what matters and the design that can be checked by everyone and proved to be safe. Prove it otherwise if you wish.

Stop with this imbecile attempts to confuse the people. They can read and know the basics. And if they don't, we teach them.
/u/footsteps 𝐁u𝐧𝒵 & 𝐆u𝐧𝒵
1 points
1 year ago
You are a very desperate LEO. You are not a "We", and you don't tech anything, you just keep pretending that you do on here, but whenever you are pressed for a technical answer, you go quiet, because you don't know anything.
  • Sponsors
VigorSwap Instant Crypto Exchange
FraudGPT

  • Explore Torhoo!

© Torhoo! 2025

All links are for educational and research purposes only. Torhoo! does not vouch for any site.

Advertise on Torhoo