How safe is Tor for logging into http (nont https) web sites

[Krazee Brenda]

On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:

>> Is my password still secure when logging into an http account with
>> Tor/Privoxy running?
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site. Do you really trust Tor with you bank login? Do you
> know what Tor proxy you are using and who operates it? Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting. You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.

Tel that to Mr. Anonymous, the Knower Of All Things
--
"I drink lots of water, know how to make bee's wax candles, play with
clay, eat mangoes nude, give great massages."

[Anonymous Sender]

Krazee Brenda wrote:

> On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:
>
> >> Is my password still secure when logging into an http account with
> >> Tor/Privoxy running?
> >
> > Since you are now using a proxy, and because the proxy can pretend to
> > be the target site, and because the proxy could establish the SSL
> > connect with you and then an SSL connect to the target site (so both
> > use SSL but not directly to each other), now you have to trust the
> > proxy doesn't intercept your SSL request and won't pretend to be the
> > target site. Do you really trust Tor with you bank login? Do you
> > know what Tor proxy you are using and who operates it? Anything
> > between you and the target site can be an interceptor SSL proxy but
> > there's less chance it will be your ISP or the backbone that they use.
> > With Tor, well, who knows who is running each of its peer hosts. The
> > Tor servers are ran by volunteers, not by your ISP or your bank. As I
> > recall, a bluecoat proxy can do SSL interception.
> >
> > http://arstechnica.com/news.ars/post...passwords.html
> >
> > It suggests using encryption (SSL); however, that still doesn't
> > prevent the Tor server user from intercepting. You get anonymity, not
> > necessarily security, with P2P networks. However, even if there were
> > no such interception, using SSL means the target knows the source.
> > With P2P, there are more unknown hosts you pass through, more chances
> > for man-in-the-middle attacks.

By their very nature P2P networks aren't susceptible to MITM attacks.
There's no need of course because there's nothing to learn that's not
public knowledge, but more to the point at hand nothing is relayed past
that second "P". That's why they're called "points".

> Tel that to Mr. Anonymous, the Knower Of All Things

There's a lot of ignorance and outright FUD regarding security being
perpetrated by people who know very little about it. Those of us who
actually have studied the subject in depth simply like to set the
record straight.

If that upsets you it speaks more to your particular level of education
than mental state than anything else.

Is it safe to trust your bank account to a Tor node operator? Of course
not. That's just a blatantly silly question. You shouldn't trust anyone
with that sort of information. Using Tor to access your bank account is
irrelevant in most applications anyway. Your bank knows who you are
already by your login.

Still, there are conceivable situations where Tor and banks together
can be useful. The "Chinese dissident" scenario, where an oppressive
regime even knowing you're managing funds outside their control might
cause you much grief. For that application Tor is ideal. It masks both
what you're doing and where you're doing it at from anyone on your end
of the Tor network. And your identity from observers on the other end.
To secure the actual information you're transferring you need to encrypt
the connection end to end, but that's a hard fact regardless of whether
Tor is in the mix or not.

Tor and SSL are to completely different tools for two completely
different jobs. Sometimes they compliment each other, sometimes they're
irrlevant to each other, and yes, sometimes they can even oppose each
other. It's up to the user to learn the mostly simple principals that
allow them to recognize which tool is best suited to which job, and
avoid the pitfalls of using the wrong tool.

[Ari]

On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:

> Is it safe to trust your bank account to a Tor node operator? Of course
> not. That's just a blatantly silly question. You shouldn't trust anyone
> with that sort of information. Using Tor to access your bank account is
> irrelevant in most applications anyway. Your bank knows who you are
> already by your login.

No one knows who you are by any login. All anyone knows is that someone, or
thing, has logged in. Period.

What an oxymoronic thing for you to say. Mr. Anonymous. lol

[Anonymous]

Ari wrote:

> On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:
>
> > Is it safe to trust your bank account to a Tor node operator? Of course
> > not. That's just a blatantly silly question. You shouldn't trust anyone
> > with that sort of information. Using Tor to access your bank account is
> > irrelevant in most applications anyway. Your bank knows who you are
> > already by your login.
>
> No one knows who you are by any login. All anyone knows is that someone, or
> thing, has logged in. Period.

ROTFL!

Sure, if an account is logged into it could always be an evil alien
toaster or something.

You're an idiot.

>
> What an oxymoronic thing for you to say. Mr. Anonymous. lol

[Ari]

On Sat, 27 Oct 2007 17:14:51 +0200 (CEST), Anonymous wrote:

>> No one knows *who you are* by any login. All anyone knows is that someone, or
>> thing, has logged in. Period.
>
> ROTFL!
>
> Sure, if an account is logged into it could always be an evil alien
> toaster or something.
>
> You're an idiot.

Tell me, be exact, O Knowit****ingAll, exactly, how the hell by logging
in only does a website know *who* logged in?

Then when you screw yourself into a fit, because there is no answer,
I'll be happy to teach you.

Get out your secured credit card first.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

[Ari]

On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:

> > Tel that to Mr. Anonymous, the Knower Of All Things
>
> There's a lot of ignorance and outright FUD regarding security being
> perpetrated by people who know very little about it. Those of us who
> actually have studied the subject in depth simply like to set the
> record straight.
>
> If that upsets you it speaks more to your particular level of education
> than mental state than anything else.

I don't get upset when Know-It-Alls know less than much. Humored? Now
that's another discussion.

So here how this works out. I actually deal on a daily basis with those
things you expound to have studied. Let's see here. Which is better? A med
student with an over-inflated value of his bookworms or the medical doctor
who actually sees patients?

I don't know. Help?

[Anonymous]

Ari wrote:

> On Fri, 26 Oct 2007 21:01:04 +0000 (UTC), Anonymous Sender wrote:
>
> > > Tel that to Mr. Anonymous, the Knower Of All Things
> >
> > There's a lot of ignorance and outright FUD regarding security being
> > perpetrated by people who know very little about it. Those of us who
> > actually have studied the subject in depth simply like to set the
> > record straight.
> >
> > If that upsets you it speaks more to your particular level of education
> > than mental state than anything else.
>
> I don't get upset when Know-It-Alls know less than much. Humored? Now
> that's another discussion.
>
> So here how this works out. I actually deal on a daily basis with those

You don't deal with squat. You're a common Usenet troll who has
demonstrated time and time again that you know absolutely nothing at
all about computer security, encryption, or networking. Your mistakes
and erroneous assertions are those of a clueless rube, and your
fantasies about being some sort of "professional" are bald faced lies.

> things you expound to have studied. Let's see here. Which is better? A med
> student with an over-inflated value of his bookworms or the medical doctor
> who actually sees patients?
>
> I don't know. Help?

You definitely need some if you believe you're functioning at some
sort of doctoral level here.

[Ari]

On Sat, 27 Oct 2007 16:23:34 +0200 (CEST), Anonymous wrote:

>> So here how this works out. I actually deal on a daily basis with those
>
> You don't deal with squat.

Then you either can't read, comprehend or use Google (Groups). None of
the three surprise me one damn bit.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/