How safe is Tor for logging into http (nont https) web sites

[Joan Battaglia]

Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
anonymous web browsing.

When I log into an https email web page, I assume my password is protected
from snoopers on the Tor network itself. That is, I assume the https
encryption prevents a rogue Tor server itself from seeing my password.

But - what about if I have to log into a web page that does not have an
https encrypted login method? Is Tor now compromised? Am I now sending my
password in the clear to a Tor server which "could" be a rogue Tor server?

Is my password still secure when logging into an http account with
Tor/Privoxy running?

[Krazee Brenda]

On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:

> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my password.

Nopeware.

> But - what about if I have to log into a web page that does not have an
> https encrypted login method? Is Tor now compromised? Am I now sending my
> password in the clear to a Tor server which "could" be a rogue Tor
server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?

Secure is relative.

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my password.
>
> Nopeware.

You're wrong about that. As long as you haven't borked up your security
settings and told your browser to not warn you about bad/changed SSL
certificates you're fine. Tor is no different than any other encrypted
connection. SSL will encrypt your passwords and such end to end unless
you break it somehow. And it IS up to you to pay attention, whether or
not you're using Tor.

>
> > But - what about if I have to log into a web page that does not have an
> > https encrypted login method? Is Tor now compromised? Am I now sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
> Secure is relative.

Maybe by some yardsticks and in context, but there's still definably
good security, and nonexistent security. Tor is the former as long as
you understand it and use it properly.

[Krazee Brenda]

On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:

> Krazee Brenda wrote:
>
>> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>>
>>> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
>>> anonymous web browsing.
>>>
>>> When I log into an https email web page, I assume my password is
>> protected
>>> from snoopers on the Tor network itself. That is, I assume the https
>>> encryption prevents a rogue Tor server itself from seeing my password.
>>
>> Nopeware.
>
> You're wrong about that. As long as you haven't borked up your security
> settings and told your browser to not warn you about bad/changed SSL
> certificates you're fine. Tor is no different than any other encrypted
> connection. SSL will encrypt your passwords and such end to end unless
> you break it somehow. And it IS up to you to pay attention, whether or
> not you're using Tor.

As long as you haven't tried to cross an Interstate at rush hour, you'll
be safe too.

Illogicware
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:
>
> > Krazee Brenda wrote:
> >
> >> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
> >>
> >>> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> >>> anonymous web browsing.
> >>>
> >>> When I log into an https email web page, I assume my password is
> >> protected
> >>> from snoopers on the Tor network itself. That is, I assume the https
> >>> encryption prevents a rogue Tor server itself from seeing my password.
> >>
> >> Nopeware.
> >
> > You're wrong about that. As long as you haven't borked up your security
> > settings and told your browser to not warn you about bad/changed SSL
> > certificates you're fine. Tor is no different than any other encrypted
> > connection. SSL will encrypt your passwords and such end to end unless
> > you break it somehow. And it IS up to you to pay attention, whether or
> > not you're using Tor.
>
> As long as you haven't tried to cross an Interstate at rush hour, you'll
> be safe too.

A pretty good analogy. I'll put it into proper perspective for you...

Crossing the freeway at rush hour demands willful action and
abandonment of common sense. There's prescribed crossing points called
traffic lights, and in most jurisdictions not using them is actually
punishable by a fine.

Likewise default browser settings, which all warn you about forged and
broken SSL certificates. You have to purposefully do something like
click past several dialogs warning you about your bad decisions, adopt a
policy of not paying any attention to the warnings, or "wander
aimlessly out into the busy street", if you wish. :-)

IOW, in both scenarios the real danger is the person doing something
wantonly stupid. That's why foot traffic is prohibited on major
thruways in fact... to protect stupid people from themselves. I don't
know if that philosophy scales to browser settings though. ;-)

[Krazee Brenda]

On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:

>>
>>> But - what about if I have to log into a web page that does not have an
>>> https encrypted login method? Is Tor now compromised? Am I now sending my
>>> password in the clear to a Tor server which "could" be a rogue Tor
>> server?
>>>
>>> Is my password still secure when logging into an http account with
>>> Tor/Privoxy running?
>>
>> Secure is relative.
>
> Maybe by some yardsticks and in context, but there's still definably
> good security, and nonexistent security. Tor is the former as long as
> you understand it and use it properly.

Security is lightswitchware. On or none.
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:
>
> >>
> >>> But - what about if I have to log into a web page that does not have an
> >>> https encrypted login method? Is Tor now compromised? Am I now sending my
> >>> password in the clear to a Tor server which "could" be a rogue Tor
> >> server?
> >>>
> >>> Is my password still secure when logging into an http account with
> >>> Tor/Privoxy running?
> >>
> >> Secure is relative.
> >
> > Maybe by some yardsticks and in context, but there's still definably
> > good security, and nonexistent security. Tor is the former as long as
> > you understand it and use it properly.
>
> Security is lightswitchware. On or none.

Nonsensical gibberish. Considering the fact that there's no such thing
as perfect security your theory crumbles on principal alone. And any
real student of secure methods can tell you that security is a proper
application of resources to a given situation, not a one size fits all
blanket you can throw over something to guarantee it stays warm in all
weather.

[VanguardLH]

"Joan Battaglia" wrote in message
news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
> protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my
> password.
>
> But - what about if I have to log into a web page that does not have
> an
> https encrypted login method? Is Tor now compromised? Am I now
> sending my
> password in the clear to a Tor server which "could" be a rogue Tor
> server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?


Since you are now using a proxy, and because the proxy can pretend to
be the target site, and because the proxy could establish the SSL
connect with you and then an SSL connect to the target site (so both
use SSL but not directly to each other), now you have to trust the
proxy doesn't intercept your SSL request and won't pretend to be the
target site. Do you really trust Tor with you bank login? Do you
know what Tor proxy you are using and who operates it? Anything
between you and the target site can be an interceptor SSL proxy but
there's less chance it will be your ISP or the backbone that they use.
With Tor, well, who knows who is running each of its peer hosts. The
Tor servers are ran by volunteers, not by your ISP or your bank. As I
recall, a bluecoat proxy can do SSL interception.

http://arstechnica.com/news.ars/post...passwords.html

It suggests using encryption (SSL); however, that still doesn't
prevent the Tor server user from intercepting. You get anonymity, not
necessarily security, with P2P networks. However, even if there were
no such interception, using SSL means the target knows the source.
With P2P, there are more unknown hosts you pass through, more chances
for man-in-the-middle attacks.

http://xiandos.info/Tor

[Krazee Brenda]

On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:

>> Is my password still secure when logging into an http account with
>> Tor/Privoxy running?
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site. Do you really trust Tor with you bank login? Do you
> know what Tor proxy you are using and who operates it? Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting. You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.

Tel that to Mr. Anonymous, the Knower Of All Things
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:
>
> >> Is my password still secure when logging into an http account with
> >> Tor/Privoxy running?
> >
> > Since you are now using a proxy, and because the proxy can pretend to
> > be the target site, and because the proxy could establish the SSL
> > connect with you and then an SSL connect to the target site (so both
> > use SSL but not directly to each other), now you have to trust the
> > proxy doesn't intercept your SSL request and won't pretend to be the
> > target site. Do you really trust Tor with you bank login? Do you
> > know what Tor proxy you are using and who operates it? Anything
> > between you and the target site can be an interceptor SSL proxy but
> > there's less chance it will be your ISP or the backbone that they use.
> > With Tor, well, who knows who is running each of its peer hosts. The
> > Tor servers are ran by volunteers, not by your ISP or your bank. As I
> > recall, a bluecoat proxy can do SSL interception.
> >
> > http://arstechnica.com/news.ars/post...passwords.html
> >
> > It suggests using encryption (SSL); however, that still doesn't
> > prevent the Tor server user from intercepting. You get anonymity, not
> > necessarily security, with P2P networks. However, even if there were
> > no such interception, using SSL means the target knows the source.
> > With P2P, there are more unknown hosts you pass through, more chances
> > for man-in-the-middle attacks.

By their very nature P2P networks aren't susceptible to MITM attacks.
There's no need of course because there's nothing to learn that's not
public knowledge, but more to the point at hand nothing is relayed past
that second "P". That's why they're called "points".

> Tel that to Mr. Anonymous, the Knower Of All Things

There's a lot of ignorance and outright FUD regarding security being
perpetrated by people who know very little about it. Those of us who
actually have studied the subject in depth simply like to set the
record straight.

If that upsets you it speaks more to your particular level of education
than mental state than anything else.

Is it safe to trust your bank account to a Tor node operator? Of course
not. That's just a blatantly silly question. You shouldn't trust anyone
with that sort of information. Using Tor to access your bank account is
irrelevant in most applications anyway. Your bank knows who you are
already by your login.

Still, there are conceivable situations where Tor and banks together
can be useful. The "Chinese dissident" scenario, where an oppressive
regime even knowing you're managing funds outside their control might
cause you much grief. For that application Tor is ideal. It masks both
what you're doing and where you're doing it at from anyone on your end
of the Tor network. And your identity from observers on the other end.
To secure the actual information you're transferring you need to encrypt
the connection end to end, but that's a hard fact regardless of whether
Tor is in the mix or not.

Tor and SSL are to completely different tools for two completely
different jobs. Sometimes they compliment each other, sometimes they're
irrlevant to each other, and yes, sometimes they can even oppose each
other. It's up to the user to learn the mostly simple principals that
allow them to recognize which tool is best suited to which job, and
avoid the pitfalls of using the wrong tool.