Krazee Brenda wrote:

> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my password.
>
> Nopeware.

You're wrong about that. As long as you haven't borked up your security
settings and told your browser to not warn you about bad/changed SSL
certificates you're fine. Tor is no different than any other encrypted
connection. SSL will encrypt your passwords and such end to end unless
you break it somehow. And it IS up to you to pay attention, whether or
not you're using Tor.

>
> > But - what about if I have to log into a web page that does not have an
> > https encrypted login method? Is Tor now compromised? Am I now sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
> Secure is relative.

Maybe by some yardsticks and in context, but there's still definably
good security, and nonexistent security. Tor is the former as long as
you understand it and use it properly.