How safe is Tor for logging into http (nont https) web sites

[Joan Battaglia]

On Fri, 26 Oct 2007 20:51:05 +0000 (UTC), Anonymous Sender wrote:

>> http://arstechnica.com/news.ars/post...passwords.html
> You do realize that *none* of those passwords were intercepted from
> encrypted connections, right?
> Simple common sense would have prevented 100% of this.

I'm soooooo confused by all the details! Sorry.

It seems you are saying two things here (are you?)
1. Using http://mail.yahoo.com is not safe over a Tor network
(because the Tor operator gets your password every time)
2. Using https://mail.yahoo.com is safe (is it?)

The whole point of this question was to ask if http(s) protected my
password from recreant Tor operators. Does it or does it not?

[Joan Battaglia]

On Fri, 26 Oct 2007 2010 +0100, Doctor Who wrote:
On Fri, 26 Oct 2007 2010 +0100, Doctor Who wrote:
> I would strongly urge you never to use Tor for login to your Bank account.

I'm more worried about my email account.
The basic question I am asking is this.

Given that using Tor to access http-based email accounts (eg
http://mail.yahoo.com) is KNOWN to be passing your password to the Tor
operator - the question was if using https-based email (eg
https://mail.google.com) provided any protection of the password from the
rogue Tor operator.

Sorry for not understanding. Can a one-word answer suffice?

Does https protect the password from Tor - or not?

[Andy Walker]

Joan Battaglia wrote:

>the question was if using https-based email (eg
>https://mail.google.com) provided any protection of the password from the
>rogue Tor operator.

Not if the Tor proxy provides the encryption for the mail.google.com
site. In which case the Tor site would establish an encrypted session
with your browser, decrypt the traffic as it passes through their
servers, and then re-encrypt the traffic as they establish the
connection to mail.google.com. Unless you are absolutely certain that
the certificate your browser is using to encrypt the session with is
from the intended destination, there a possibility that everything you
send is being recorded.

[Ari]

On Sat, 27 Oct 2007 17:07:26 +0100, Doctor Who wrote:

>>On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:
>>
>>> Is it safe to trust your bank account to a Tor node operator? Of course
>>> not. That's just a blatantly silly question. You shouldn't trust anyone
>>> with that sort of information. Using Tor to access your bank account is
>>> irrelevant in most applications anyway. Your bank knows who you are
>>> already by your login.
>>
>>No one knows who you are by any login. All anyone knows is that someone, or
>>thing, has logged in. Period.
>>
>>What an oxymoronic thing for you to say. Mr. Anonymous. lol
>
> My Bank account offers me a higher rate of interest provided I login via the
> Internet at least once every 6 weeks. This suggests they must have some
> way of knowing I have used Internet Banking.

Static IP? Cookie? Both?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Ari]

On Sat, 27 Oct 2007 17:16:42 GMT, Joan Battaglia wrote:

> On Fri, 26 Oct 2007 21:07:50 -0500, VanguardLH wrote:
>
>> Don't trust your bank accounts, online buying, PayPal, login
>> passwords, or any other privacy data over Tor. What you send to the
>> target site is obviously available to a Tor operator, too.
>
> I'm not sure I understand the bottom line.
> Are you saying BOTH http and https are compromised when one uses a Tor?
>
> In other words, does Tor give us anonymity but not privacy?
> Or, can we use https for the privacy and http for the anonymity?
>
> Sorry I'm confused.

Depending on the ferocity level of an adversary, Tor can give you both
or neither.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Krazee Brenda]

On Fri, 26 Oct 2007 21:07:50 -0500, VanguardLH wrote:

> SSL interception proxy. They exist. Some are used to interrogate the
> content of your traffic to determine if it is appropriate for the
> company. Well, they can't look at the content unless they did the
> man-in-the-middle interception. They don't bother to decrypt your
> traffic. They just intercept it by making you think they were the
> target you intended to hit. Can SSL be subverted by clever criminals?
> "If you're talking about a scenario where they spoof a Web site, the
> answer is yes," said Tim Callan, Group Product Marketing Manager for
> VeriSign.

Comcastware
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Krazee Brenda]

On Sat, 27 Oct 2007 10:28:46 +0000 (UTC), Anonymous Sender wrote:

>> Don't trust your bank accounts, online buying, PayPal, login
>> passwords, or any other privacy data over Tor. What you send to the
>> target site is obviously available to a Tor operator, too.
>>
>
> Baloney. There's perfectly good reasons for conducting sensitive
> business through Tor, in fact certain scenarios within that context are
> the reasons Tor exists in teh first place. And there's secure ways of
> doing just that. All you need to do is learn some basics, and pay
> attention to any warnigns or errors you get.

Here's mustard for your Baloneyware.

http://www.derangedsecurity.com/
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Ari]

On Sat, 27 Oct 2007 17:14:51 +0200 (CEST), Anonymous wrote:

>> No one knows *who you are* by any login. All anyone knows is that someone, or
>> thing, has logged in. Period.
>
> ROTFL!
>
> Sure, if an account is logged into it could always be an evil alien
> toaster or something.
>
> You're an idiot.

Tell me, be exact, O Knowit****ingAll, exactly, how the hell by logging
in only does a website know *who* logged in?

Then when you screw yourself into a fit, because there is no answer,
I'll be happy to teach you.

Get out your secured credit card first.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Ari]

On Sat, 27 Oct 2007 16:23:34 +0200 (CEST), Anonymous wrote:

>> So here how this works out. I actually deal on a daily basis with those
>
> You don't deal with squat.

Then you either can't read, comprehend or use Google (Groups). None of
the three surprise me one damn bit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Ari]

On Sat, 27 Oct 2007 13:54:59 -0400, Andy Walker wrote:

> Joan Battaglia wrote:
>
>>the question was if using https-based email (eg
>>https://mail.google.com) provided any protection of the password from the
>>rogue Tor operator.
>
> Not if the Tor proxy provides the encryption for the mail.google.com
> site. In which case the Tor site would establish an encrypted session
> with your browser, decrypt the traffic as it passes through their
> servers, and then re-encrypt the traffic as they establish the
> connection to mail.google.com. Unless you are absolutely certain that
> the certificate your browser is using to encrypt the session with is
> from the intended destination, there a possibility that everything you
> send is being recorded.

Recirded, yes, read, less probable.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/