How safe is Tor for logging into http (nont https) web sites

[Krazee Brenda]

On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:

> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my password.

Nopeware.

> But - what about if I have to log into a web page that does not have an
> https encrypted login method? Is Tor now compromised? Am I now sending my
> password in the clear to a Tor server which "could" be a rogue Tor
server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?

Secure is relative.

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my password.
>
> Nopeware.

You're wrong about that. As long as you haven't borked up your security
settings and told your browser to not warn you about bad/changed SSL
certificates you're fine. Tor is no different than any other encrypted
connection. SSL will encrypt your passwords and such end to end unless
you break it somehow. And it IS up to you to pay attention, whether or
not you're using Tor.

>
> > But - what about if I have to log into a web page that does not have an
> > https encrypted login method? Is Tor now compromised? Am I now sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
> Secure is relative.

Maybe by some yardsticks and in context, but there's still definably
good security, and nonexistent security. Tor is the former as long as
you understand it and use it properly.

[Krazee Brenda]

On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:

> Krazee Brenda wrote:
>
>> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
>>
>>> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
>>> anonymous web browsing.
>>>
>>> When I log into an https email web page, I assume my password is
>> protected
>>> from snoopers on the Tor network itself. That is, I assume the https
>>> encryption prevents a rogue Tor server itself from seeing my password.
>>
>> Nopeware.
>
> You're wrong about that. As long as you haven't borked up your security
> settings and told your browser to not warn you about bad/changed SSL
> certificates you're fine. Tor is no different than any other encrypted
> connection. SSL will encrypt your passwords and such end to end unless
> you break it somehow. And it IS up to you to pay attention, whether or
> not you're using Tor.

As long as you haven't tried to cross an Interstate at rush hour, you'll
be safe too.

Illogicware
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:
>
> > Krazee Brenda wrote:
> >
> >> On Fri, 26 Oct 2007 05:00:48 GMT, Joan Battaglia wrote:
> >>
> >>> Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
> >>> anonymous web browsing.
> >>>
> >>> When I log into an https email web page, I assume my password is
> >> protected
> >>> from snoopers on the Tor network itself. That is, I assume the https
> >>> encryption prevents a rogue Tor server itself from seeing my password.
> >>
> >> Nopeware.
> >
> > You're wrong about that. As long as you haven't borked up your security
> > settings and told your browser to not warn you about bad/changed SSL
> > certificates you're fine. Tor is no different than any other encrypted
> > connection. SSL will encrypt your passwords and such end to end unless
> > you break it somehow. And it IS up to you to pay attention, whether or
> > not you're using Tor.
>
> As long as you haven't tried to cross an Interstate at rush hour, you'll
> be safe too.

A pretty good analogy. I'll put it into proper perspective for you...

Crossing the freeway at rush hour demands willful action and
abandonment of common sense. There's prescribed crossing points called
traffic lights, and in most jurisdictions not using them is actually
punishable by a fine.

Likewise default browser settings, which all warn you about forged and
broken SSL certificates. You have to purposefully do something like
click past several dialogs warning you about your bad decisions, adopt a
policy of not paying any attention to the warnings, or "wander
aimlessly out into the busy street", if you wish. :-)

IOW, in both scenarios the real danger is the person doing something
wantonly stupid. That's why foot traffic is prohibited on major
thruways in fact... to protect stupid people from themselves. I don't
know if that philosophy scales to browser settings though. ;-)

[Krazee Brenda]

On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:

>>
>>> But - what about if I have to log into a web page that does not have an
>>> https encrypted login method? Is Tor now compromised? Am I now sending my
>>> password in the clear to a Tor server which "could" be a rogue Tor
>> server?
>>>
>>> Is my password still secure when logging into an http account with
>>> Tor/Privoxy running?
>>
>> Secure is relative.
>
> Maybe by some yardsticks and in context, but there's still definably
> good security, and nonexistent security. Tor is the former as long as
> you understand it and use it properly.

Security is lightswitchware. On or none.
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 10:00:17 +0000 (UTC), Anonymous Sender wrote:
>
> >>
> >>> But - what about if I have to log into a web page that does not have an
> >>> https encrypted login method? Is Tor now compromised? Am I now sending my
> >>> password in the clear to a Tor server which "could" be a rogue Tor
> >> server?
> >>>
> >>> Is my password still secure when logging into an http account with
> >>> Tor/Privoxy running?
> >>
> >> Secure is relative.
> >
> > Maybe by some yardsticks and in context, but there's still definably
> > good security, and nonexistent security. Tor is the former as long as
> > you understand it and use it properly.
>
> Security is lightswitchware. On or none.

Nonsensical gibberish. Considering the fact that there's no such thing
as perfect security your theory crumbles on principal alone. And any
real student of secure methods can tell you that security is a proper
application of resources to a given situation, not a one size fits all
blanket you can throw over something to guarantee it stays warm in all
weather.