How safe is Tor for logging into http (nont https) web sites

[Joan Battaglia]

Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
anonymous web browsing.

When I log into an https email web page, I assume my password is protected
from snoopers on the Tor network itself. That is, I assume the https
encryption prevents a rogue Tor server itself from seeing my password.

But - what about if I have to log into a web page that does not have an
https encrypted login method? Is Tor now compromised? Am I now sending my
password in the clear to a Tor server which "could" be a rogue Tor server?

Is my password still secure when logging into an http account with
Tor/Privoxy running?

[Krazee Brenda]

On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:

> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my password.

Nopeware.

> But - what about if I have to log into a web page that does not have an
> https encrypted login method? Is Tor now compromised? Am I now sending my
> password in the clear to a Tor server which "could" be a rogue Tor
server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?

Secure is relative.

[VanguardLH]

"Joan Battaglia" wrote in message
news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
> protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my
> password.
>
> But - what about if I have to log into a web page that does not have
> an
> https encrypted login method? Is Tor now compromised? Am I now
> sending my
> password in the clear to a Tor server which "could" be a rogue Tor
> server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?


Since you are now using a proxy, and because the proxy can pretend to
be the target site, and because the proxy could establish the SSL
connect with you and then an SSL connect to the target site (so both
use SSL but not directly to each other), now you have to trust the
proxy doesn't intercept your SSL request and won't pretend to be the
target site. Do you really trust Tor with you bank login? Do you
know what Tor proxy you are using and who operates it? Anything
between you and the target site can be an interceptor SSL proxy but
there's less chance it will be your ISP or the backbone that they use.
With Tor, well, who knows who is running each of its peer hosts. The
Tor servers are ran by volunteers, not by your ISP or your bank. As I
recall, a bluecoat proxy can do SSL interception.

http://arstechnica.com/news.ars/post...passwords.html

It suggests using encryption (SSL); however, that still doesn't
prevent the Tor server user from intercepting. You get anonymity, not
necessarily security, with P2P networks. However, even if there were
no such interception, using SSL means the target knows the source.
With P2P, there are more unknown hosts you pass through, more chances
for man-in-the-middle attacks.

http://xiandos.info/Tor

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my password.
>
> Nopeware.

You're wrong about that. As long as you haven't borked up your security
settings and told your browser to not warn you about bad/changed SSL
certificates you're fine. Tor is no different than any other encrypted
connection. SSL will encrypt your passwords and such end to end unless
you break it somehow. And it IS up to you to pay attention, whether or
not you're using Tor.

>
> > But - what about if I have to log into a web page that does not have an
> > https encrypted login method? Is Tor now compromised? Am I now sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
> Secure is relative.

Maybe by some yardsticks and in context, but there's still definably
good security, and nonexistent security. Tor is the former as long as
you understand it and use it properly.

[Sulasno]

never use Tor for internet banking

"Joan Battaglia" <joanmaxwell@sbcglobal.net> wrote in message
news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my password.
>
> But - what about if I have to log into a web page that does not have an
> https encrypted login method? Is Tor now compromised? Am I now sending my
> password in the clear to a Tor server which "could" be a rogue Tor server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?

[Krazee Brenda]

On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:

> Krazee Brenda wrote:
>
>> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>>
>>> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
>>> anonymous web browsing.
>>>
>>> When I log into an https email web page, I assume my password is
>> protected
>>> from snoopers on the Tor network itself. That is, I assume the https
>>> encryption prevents a rogue Tor server itself from seeing my password.
>>
>> Nopeware.
>
> You're wrong about that. As long as you haven't borked up your security
> settings and told your browser to not warn you about bad/changed SSL
> certificates you're fine. Tor is no different than any other encrypted
> connection. SSL will encrypt your passwords and such end to end unless
> you break it somehow. And it IS up to you to pay attention, whether or
> not you're using Tor.

As long as you haven't tried to cross an Interstate at rush hour, you'll
be safe too.

Illogicware
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Krazee Brenda]

On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:

>>
>>> But - what about if I have to log into a web page that does not have an
>>> https encrypted login method? Is Tor now compromised? Am I now sending my
>>> password in the clear to a Tor server which "could" be a rogue Tor
>> server?
>>>
>>> Is my password still secure when logging into an http account with
>>> Tor/Privoxy running?
>>
>> Secure is relative.
>
> Maybe by some yardsticks and in context, but there's still definably
> good security, and nonexistent security. Tor is the former as long as
> you understand it and use it properly.

Security is lightswitchware. On or none.
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Krazee Brenda]

On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:

>> Is my password still secure when logging into an http account with
>> Tor/Privoxy running?
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site. Do you really trust Tor with you bank login? Do you
> know what Tor proxy you are using and who operates it? Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting. You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.

Tel that to Mr. Anonymous, the Knower Of All Things
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous Sender]

VanguardLH wrote:

> "Joan Battaglia" wrote in message
> news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> > freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> > protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my
> > password.
> >
> > But - what about if I have to log into a web page that does not have
> > an
> > https encrypted login method? Is Tor now compromised? Am I now
> > sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> > server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site.

No, you do not. If you have the certificate for a given site installed
on your machine, and don't turn off basic security, you'll get errors
and dialogs galore if a Tor node tried to launch a monkey in the middle
attack.

> Do you really trust Tor with you bank login?

No. Nor do I trust my ISP, their ISP, a backbone ISP, my bank's ISP.
or anyone else with my bank login. I don't even particularly trust my
bank site itself to be real honest, but I have no choice. The rest,
though, I can remove from the loop by using strong encryption.


> Do you
> know what Tor proxy you are using and who operates it?

Do you traceroute your connection to your bank so that you know every
hop between you and there, then research who runs those?

> Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.

Why? Are you suggesting that ISP's and backbone providers are immune to
hiring bad people, or that bad people are somehow lacking some quality
that allows them to work along the backbone?

Would you be surprised to discover that by some definitions of "bad"
that ISP and/or backbone provider isn't only the more logical choice
for a point of attack, it's almost necessary?

> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html


You do realize that *none* of those passwords were intercepted from
encrypted connections, right?

Simple common sense would have prevented 100% of this.

>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting.

Yes. It does.

> You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.

No, it does not. The connection is still anonymous of made through the
Tor network.

> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.
>
> http://xiandos.info/Tor

"Tor does not prevent you, or the software programs you are using, from
giving the other site of the anonymous TCP-stream information which
compromises your anonymity."

"Never enter passwords over unencrypted Tor-connections, only send
passwords and other information over https connections (This applies to
all Internet usage, not only Tor)."

That pretty much sums it up.

>

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:
>
> >>
> >>> But - what about if I have to log into a web page that does not have an
> >>> https encrypted login method? Is Tor now compromised? Am I now sending my
> >>> password in the clear to a Tor server which "could" be a rogue Tor
> >> server?
> >>>
> >>> Is my password still secure when logging into an http account with
> >>> Tor/Privoxy running?
> >>
> >> Secure is relative.
> >
> > Maybe by some yardsticks and in context, but there's still definably
> > good security, and nonexistent security. Tor is the former as long as
> > you understand it and use it properly.
>
> Security is lightswitchware. On or none.

Nonsensical gibberish. Considering the fact that there's no such thing
as perfect security your theory crumbles on principal alone. And any
real student of secure methods can tell you that security is a proper
application of resources to a given situation, not a one size fits all
blanket you can throw over something to guarantee it stays warm in all
weather.