How safe is Tor for logging into http (nont https) web sites

[VanguardLH]

"Joan Battaglia" wrote in message
news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> freeware for
> anonymous web browsing.
>
> When I log into an https email web page, I assume my password is
> protected
> from snoopers on the Tor network itself. That is, I assume the https
> encryption prevents a rogue Tor server itself from seeing my
> password.
>
> But - what about if I have to log into a web page that does not have
> an
> https encrypted login method? Is Tor now compromised? Am I now
> sending my
> password in the clear to a Tor server which "could" be a rogue Tor
> server?
>
> Is my password still secure when logging into an http account with
> Tor/Privoxy running?


Since you are now using a proxy, and because the proxy can pretend to
be the target site, and because the proxy could establish the SSL
connect with you and then an SSL connect to the target site (so both
use SSL but not directly to each other), now you have to trust the
proxy doesn't intercept your SSL request and won't pretend to be the
target site. Do you really trust Tor with you bank login? Do you
know what Tor proxy you are using and who operates it? Anything
between you and the target site can be an interceptor SSL proxy but
there's less chance it will be your ISP or the backbone that they use.
With Tor, well, who knows who is running each of its peer hosts. The
Tor servers are ran by volunteers, not by your ISP or your bank. As I
recall, a bluecoat proxy can do SSL interception.

http://arstechnica.com/news.ars/post...passwords.html

It suggests using encryption (SSL); however, that still doesn't
prevent the Tor server user from intercepting. You get anonymity, not
necessarily security, with P2P networks. However, even if there were
no such interception, using SSL means the target knows the source.
With P2P, there are more unknown hosts you pass through, more chances
for man-in-the-middle attacks.

http://xiandos.info/Tor

[Krazee Brenda]

On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:

>> Is my password still secure when logging into an http account with
>> Tor/Privoxy running?
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site. Do you really trust Tor with you bank login? Do you
> know what Tor proxy you are using and who operates it? Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting. You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.

Tel that to Mr. Anonymous, the Knower Of All Things
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:
>
> >> Is my password still secure when logging into an http account with
> >> Tor/Privoxy running?
> >
> > Since you are now using a proxy, and because the proxy can pretend to
> > be the target site, and because the proxy could establish the SSL
> > connect with you and then an SSL connect to the target site (so both
> > use SSL but not directly to each other), now you have to trust the
> > proxy doesn't intercept your SSL request and won't pretend to be the
> > target site. Do you really trust Tor with you bank login? Do you
> > know what Tor proxy you are using and who operates it? Anything
> > between you and the target site can be an interceptor SSL proxy but
> > there's less chance it will be your ISP or the backbone that they use.
> > With Tor, well, who knows who is running each of its peer hosts. The
> > Tor servers are ran by volunteers, not by your ISP or your bank. As I
> > recall, a bluecoat proxy can do SSL interception.
> >
> > http://arstechnica.com/news.ars/post...passwords.html
> >
> > It suggests using encryption (SSL); however, that still doesn't
> > prevent the Tor server user from intercepting. You get anonymity, not
> > necessarily security, with P2P networks. However, even if there were
> > no such interception, using SSL means the target knows the source.
> > With P2P, there are more unknown hosts you pass through, more chances
> > for man-in-the-middle attacks.

By their very nature P2P networks aren't susceptible to MITM attacks.
There's no need of course because there's nothing to learn that's not
public knowledge, but more to the point at hand nothing is relayed past
that second "P". That's why they're called "points".

> Tel that to Mr. Anonymous, the Knower Of All Things

There's a lot of ignorance and outright FUD regarding security being
perpetrated by people who know very little about it. Those of us who
actually have studied the subject in depth simply like to set the
record straight.

If that upsets you it speaks more to your particular level of education
than mental state than anything else.

Is it safe to trust your bank account to a Tor node operator? Of course
not. That's just a blatantly silly question. You shouldn't trust anyone
with that sort of information. Using Tor to access your bank account is
irrelevant in most applications anyway. Your bank knows who you are
already by your login.

Still, there are conceivable situations where Tor and banks together
can be useful. The "Chinese dissident" scenario, where an oppressive
regime even knowing you're managing funds outside their control might
cause you much grief. For that application Tor is ideal. It masks both
what you're doing and where you're doing it at from anyone on your end
of the Tor network. And your identity from observers on the other end.
To secure the actual information you're transferring you need to encrypt
the connection end to end, but that's a hard fact regardless of whether
Tor is in the mix or not.

Tor and SSL are to completely different tools for two completely
different jobs. Sometimes they compliment each other, sometimes they're
irrlevant to each other, and yes, sometimes they can even oppose each
other. It's up to the user to learn the mostly simple principals that
allow them to recognize which tool is best suited to which job, and
avoid the pitfalls of using the wrong tool.

[Ari]

On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:

> Is it safe to trust your bank account to a Tor node operator? Of course
> not. That's just a blatantly silly question. You shouldn't trust anyone
> with that sort of information. Using Tor to access your bank account is
> irrelevant in most applications anyway. Your bank knows who you are
> already by your login.

No one knows who you are by any login. All anyone knows is that someone, or
thing, has logged in. Period.

What an oxymoronic thing for you to say. Mr. Anonymous. lol

[Anonymous]

Ari wrote:

> On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:
>
> > Is it safe to trust your bank account to a Tor node operator? Of course
> > not. That's just a blatantly silly question. You shouldn't trust anyone
> > with that sort of information. Using Tor to access your bank account is
> > irrelevant in most applications anyway. Your bank knows who you are
> > already by your login.
>
> No one knows who you are by any login. All anyone knows is that someone, or
> thing, has logged in. Period.

ROTFL!

Sure, if an account is logged into it could always be an evil alien
toaster or something.

You're an idiot.

>
> What an oxymoronic thing for you to say. Mr. Anonymous. lol

[Ari]

On Sat, 27 Oct 2007 17:14:51 +0200 (CEST), Anonymous wrote:

>> No one knows *who you are* by any login. All anyone knows is that someone, or
>> thing, has logged in. Period.
>
> ROTFL!
>
> Sure, if an account is logged into it could always be an evil alien
> toaster or something.
>
> You're an idiot.

Tell me, be exact, O Knowit****ingAll, exactly, how the hell by logging
in only does a website know *who* logged in?

Then when you screw yourself into a fit, because there is no answer,
I'll be happy to teach you.

Get out your secured credit card first.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Ari]

On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:

> > Tel that to Mr. Anonymous, the Knower Of All Things
>
> There's a lot of ignorance and outright FUD regarding security being
> perpetrated by people who know very little about it. Those of us who
> actually have studied the subject in depth simply like to set the
> record straight.
>
> If that upsets you it speaks more to your particular level of education
> than mental state than anything else.

I don't get upset when Know-It-Alls know less than much. Humored? Now
that's another discussion.

So here how this works out. I actually deal on a daily basis with those
things you expound to have studied. Let's see here. Which is better? A med
student with an over-inflated value of his bookworms or the medical doctor
who actually sees patients?

I don't know. Help?

[Anonymous]

Ari wrote:

> On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:
>
> > > Tel that to Mr. Anonymous, the Knower Of All Things
> >
> > There's a lot of ignorance and outright FUD regarding security being
> > perpetrated by people who know very little about it. Those of us who
> > actually have studied the subject in depth simply like to set the
> > record straight.
> >
> > If that upsets you it speaks more to your particular level of education
> > than mental state than anything else.
>
> I don't get upset when Know-It-Alls know less than much. Humored? Now
> that's another discussion.
>
> So here how this works out. I actually deal on a daily basis with those

You don't deal with squat. You're a common Usenet troll who has
demonstrated time and time again that you know absolutely nothing at
all about computer security, encryption, or networking. Your mistakes
and erroneous assertions are those of a clueless rube, and your
fantasies about being some sort of "professional" are bald faced lies.

> things you expound to have studied. Let's see here. Which is better? A med
> student with an over-inflated value of his bookworms or the medical doctor
> who actually sees patients?
>
> I don't know. Help?

You definitely need some if you believe you're functioning at some
sort of doctoral level here.

[Ari]

On Sat, 27 Oct 2007 16:23:34 +0200 (CEST), Anonymous wrote:

>> So here how this works out. I actually deal on a daily basis with those
>
> You don't deal with squat.

Then you either can't read, comprehend or use Google (Groups). None of
the three surprise me one damn bit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Anonymous Sender]

VanguardLH wrote:

> "Joan Battaglia" wrote in message
> news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> > freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> > protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my
> > password.
> >
> > But - what about if I have to log into a web page that does not have
> > an
> > https encrypted login method? Is Tor now compromised? Am I now
> > sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> > server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site.

No, you do not. If you have the certificate for a given site installed
on your machine, and don't turn off basic security, you'll get errors
and dialogs galore if a Tor node tried to launch a monkey in the middle
attack.

> Do you really trust Tor with you bank login?

No. Nor do I trust my ISP, their ISP, a backbone ISP, my bank's ISP.
or anyone else with my bank login. I don't even particularly trust my
bank site itself to be real honest, but I have no choice. The rest,
though, I can remove from the loop by using strong encryption.


> Do you
> know what Tor proxy you are using and who operates it?

Do you traceroute your connection to your bank so that you know every
hop between you and there, then research who runs those?

> Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.

Why? Are you suggesting that ISP's and backbone providers are immune to
hiring bad people, or that bad people are somehow lacking some quality
that allows them to work along the backbone?

Would you be surprised to discover that by some definitions of "bad"
that ISP and/or backbone provider isn't only the more logical choice
for a point of attack, it's almost necessary?

> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html


You do realize that *none* of those passwords were intercepted from
encrypted connections, right?

Simple common sense would have prevented 100% of this.

>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting.

Yes. It does.

> You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.

No, it does not. The connection is still anonymous of made through the
Tor network.

> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.
>
> http://xiandos.info/Tor

"Tor does not prevent you, or the software programs you are using, from
giving the other site of the anonymous TCP-stream information which
compromises your anonymity."

"Never enter passwords over unencrypted Tor-connections, only send
passwords and other information over https connections (This applies to
all Internet usage, not only Tor)."

That pretty much sums it up.

>