VanguardLH wrote:
> "Joan Battaglia" wrote in message
> news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> > freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> > protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my
> > password.
> >
> > But - what about if I have to log into a web page that does not have
> > an
> > https encrypted login method? Is Tor now compromised? Am I now
> > sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> > server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site.
No, you do not. If you have the certificate for a given site installed
on your machine, and don't turn off basic security, you'll get errors
and dialogs galore if a Tor node tried to launch a monkey in the middle
attack.
> Do you really trust Tor with you bank login?
No. Nor do I trust my ISP, their ISP, a backbone ISP, my bank's ISP.
or anyone else with my bank login. I don't even particularly trust my
bank site itself to be real honest, but I have no choice. The rest,
though, I can remove from the loop by using strong encryption.
> Do you
> know what Tor proxy you are using and who operates it?
Do you traceroute your connection to your bank so that you know every
hop between you and there, then research who runs those?
> Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
Why? Are you suggesting that ISP's and backbone providers are immune to
hiring bad people, or that bad people are somehow lacking some quality
that allows them to work along the backbone?
Would you be surprised to discover that by some definitions of "bad"
that ISP and/or backbone provider isn't only the more logical choice
for a point of attack, it's almost necessary?
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html
You do realize that *none* of those passwords were intercepted from
encrypted connections, right?
Simple common sense would have prevented 100% of this.
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting.
Yes. It does.
> You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
No, it does not. The connection is still anonymous of made through the
Tor network.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.
>
> http://xiandos.info/Tor
"Tor does not prevent you, or the software programs you are using, from
giving the other site of the anonymous TCP-stream information which
compromises your anonymity."
"Never enter passwords over unencrypted Tor-connections, only send
passwords and other information over https connections (This applies to
all Internet usage, not only Tor)."
That pretty much sums it up.
>
Reply With Quote