"Joan Battaglia" wrote in message
news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
> protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my
> password.
>
> But - what about if I have to log into a web page that does not have
> an
> https encrypted login method? Is Tor now compromised? Am I now
> sending my
> password in the clear to a Tor server which "could" be a rogue Tor
> server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?


Since you are now using a proxy, and because the proxy can pretend to
be the target site, and because the proxy could establish the SSL
connect with you and then an SSL connect to the target site (so both
use SSL but not directly to each other), now you have to trust the
proxy doesn't intercept your SSL request and won't pretend to be the
target site. Do you really trust Tor with you bank login? Do you
know what Tor proxy you are using and who operates it? Anything
between you and the target site can be an interceptor SSL proxy but
there's less chance it will be your ISP or the backbone that they use.
With Tor, well, who knows who is running each of its peer hosts. The
Tor servers are ran by volunteers, not by your ISP or your bank. As I
recall, a bluecoat proxy can do SSL interception.

http://arstechnica.com/news.ars/post...passwords.html

It suggests using encryption (SSL); however, that still doesn't
prevent the Tor server user from intercepting. You get anonymity, not
necessarily security, with P2P networks. However, even if there were
no such interception, using SSL means the target knows the source.
With P2P, there are more unknown hosts you pass through, more chances
for man-in-the-middle attacks.

http://xiandos.info/Tor