Re: How safe is Tor for logging into http (nont https) web sites

07-11-2007, 11:57 PM

VanguardLH wrote:

> "Joan Battaglia" wrote in message
> news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t...
> > Thanks to you all, I was able to install Tor/Vidalia/Privoxy
> > freeware for
> > anonymous web browsing.
> >
> > When I log into an https email web page, I assume my password is
> > protected
> > from snoopers on the Tor network itself. That is, I assume the https
> > encryption prevents a rogue Tor server itself from seeing my
> > password.
> >
> > But - what about if I have to log into a web page that does not have
> > an
> > https encrypted login method? Is Tor now compromised? Am I now
> > sending my
> > password in the clear to a Tor server which "could" be a rogue Tor
> > server?
> >
> > Is my password still secure when logging into an http account with
> > Tor/Privoxy running?
>
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site.

No, you do not. If you have the certificate for a given site installed
on your machine, and don't turn off basic security, you'll get errors
and dialogs galore if a Tor node tried to launch a monkey in the middle
attack.

> Do you really trust Tor with you bank login?

No. Nor do I trust my ISP, their ISP, a backbone ISP, my bank's ISP.
or anyone else with my bank login. I don't even particularly trust my
bank site itself to be real honest, but I have no choice. The rest,
though, I can remove from the loop by using strong encryption.

> Do you
> know what Tor proxy you are using and who operates it?

Do you traceroute your connection to your bank so that you know every
hop between you and there, then research who runs those?

> Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.

Why? Are you suggesting that ISP's and backbone providers are immune to
hiring bad people, or that bad people are somehow lacking some quality
that allows them to work along the backbone?

Would you be surprised to discover that by some definitions of "bad"
that ISP and/or backbone provider isn't only the more logical choice
for a point of attack, it's almost necessary?

> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html

You do realize that *none* of those passwords were intercepted from
encrypted connections, right?

Simple common sense would have prevented 100% of this.

>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting.

Yes. It does.

> You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.

No, it does not. The connection is still anonymous of made through the
Tor network.

> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.
>
> http://xiandos.info/Tor

"Tor does not prevent you, or the software programs you are using, from
giving the other site of the anonymous TCP-stream information which
compromises your anonymity."

"Never enter passwords over unencrypted Tor-connections, only send
passwords and other information over https connections (This applies to
all Internet usage, not only Tor)."

That pretty much sums it up.

>

07-11-2007, 11:57 PM

On Fri, 26 Oct 2007 20:51:05 +0000 (UTC), Anonymous Sender wrote:

>> http://arstechnica.com/news.ars/post...passwords.html
> You do realize that *none* of those passwords were intercepted from
> encrypted connections, right?
> Simple common sense would have prevented 100% of this.

I'm soooooo confused by all the details! Sorry.

It seems you are saying two things here (are you?)
1. Using http://mail.yahoo.com is not safe over a Tor network
(because the Tor operator gets your password every time)
2. Using https://mail.yahoo.com is safe (is it?)

The whole point of this question was to ask if http(s) protected my
password from recreant Tor operators. Does it or does it not?

07-11-2007, 11:57 PM

Joan Battaglia wrote:

> On Fri, 26 Oct 2007 20:51:05 +0000 (UTC), Anonymous Sender wrote:
>
> >> http://arstechnica.com/news.ars/post...passwords.html
> > You do realize that *none* of those passwords were intercepted from
> > encrypted connections, right?
> > Simple common sense would have prevented 100% of this.
>
> I'm soooooo confused by all the details! Sorry.
>
> It seems you are saying two things here (are you?)
> 1. Using http://mail.yahoo.com is not safe over a Tor network
> (because the Tor operator gets your password every time)
> 2. Using https://mail.yahoo.com is safe (is it?)

Yes. That is correct.
>
> The whole point of this question was to ask if http(s) protected my
> password from recreant Tor operators. Does it or does it not?

It absolutely does, as long as acceptable standards of SSL use are
adhered to. And of course assuming nobody finds a hole in SSL itself.

IOW, Tor has no real impact on SSL at all. It's no more vulnerable when
routed through the Tor network than it is outside the Tor network.

07-11-2007, 11:57 PM

On Sun, 28 Oct 2007 10:23:23 +0100 (CET), Anonymous wrote:

>> I'm soooooo confused by all the details! Sorry.
>>
>> It seems you are saying two things here (are you?)
>> 1. Using http://mail.yahoo.com is not safe over a Tor network
>> (because the Tor operator gets your password every time)
>> 2. Using https://mail.yahoo.com is safe (is it?)
>
> Yes. That is correct.
>>
>> The whole point of this question was to ask if http(s) protected my
>> password from recreant Tor operators. Does it or does it not?
>
> It absolutely does, as long as acceptable standards of SSL use are
> adhered to. And of course assuming nobody finds a hole in SSL itself.

And if the moons rise above the planet and giants eat Mars thinking it's
a candy bar.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

07-11-2007, 11:57 PM	#1
Anonymous Sender Guest Posts: n/a	Re: How safe is Tor for logging into http (nont https) web sites VanguardLH wrote: > "Joan Battaglia" wrote in message > news:4weUi.17176$JD.3743@newssvr21.news.prodigy.ne t... > > Thanks to you all, I was able to install Tor/Vidalia/Privoxy > > freeware for > > anonymous web browsing. > > > > When I log into an https email web page, I assume my password is > > protected > > from snoopers on the Tor network itself. That is, I assume the https > > encryption prevents a rogue Tor server itself from seeing my > > password. > > > > But - what about if I have to log into a web page that does not have > > an > > https encrypted login method? Is Tor now compromised? Am I now > > sending my > > password in the clear to a Tor server which "could" be a rogue Tor > > server? > > > > Is my password still secure when logging into an http account with > > Tor/Privoxy running? > > > Since you are now using a proxy, and because the proxy can pretend to > be the target site, and because the proxy could establish the SSL > connect with you and then an SSL connect to the target site (so both > use SSL but not directly to each other), now you have to trust the > proxy doesn't intercept your SSL request and won't pretend to be the > target site. No, you do not. If you have the certificate for a given site installed on your machine, and don't turn off basic security, you'll get errors and dialogs galore if a Tor node tried to launch a monkey in the middle attack. > Do you really trust Tor with you bank login? No. Nor do I trust my ISP, their ISP, a backbone ISP, my bank's ISP. or anyone else with my bank login. I don't even particularly trust my bank site itself to be real honest, but I have no choice. The rest, though, I can remove from the loop by using strong encryption. > Do you > know what Tor proxy you are using and who operates it? Do you traceroute your connection to your bank so that you know every hop between you and there, then research who runs those? > Anything > between you and the target site can be an interceptor SSL proxy but > there's less chance it will be your ISP or the backbone that they use. Why? Are you suggesting that ISP's and backbone providers are immune to hiring bad people, or that bad people are somehow lacking some quality that allows them to work along the backbone? Would you be surprised to discover that by some definitions of "bad" that ISP and/or backbone provider isn't only the more logical choice for a point of attack, it's almost necessary? > With Tor, well, who knows who is running each of its peer hosts. The > Tor servers are ran by volunteers, not by your ISP or your bank. As I > recall, a bluecoat proxy can do SSL interception. > > http://arstechnica.com/news.ars/post...passwords.html You do realize that none of those passwords were intercepted from encrypted connections, right? Simple common sense would have prevented 100% of this. > > It suggests using encryption (SSL); however, that still doesn't > prevent the Tor server user from intercepting. Yes. It does. > You get anonymity, not > necessarily security, with P2P networks. However, even if there were > no such interception, using SSL means the target knows the source. No, it does not. The connection is still anonymous of made through the Tor network. > With P2P, there are more unknown hosts you pass through, more chances > for man-in-the-middle attacks. > > http://xiandos.info/Tor "Tor does not prevent you, or the software programs you are using, from giving the other site of the anonymous TCP-stream information which compromises your anonymity." "Never enter passwords over unencrypted Tor-connections, only send passwords and other information over https connections (This applies to all Internet usage, not only Tor)." That pretty much sums it up. >

07-11-2007, 11:57 PM	#2
Joan Battaglia Guest Posts: n/a	Re: How safe is Tor for logging into http (nont https) web sites On Fri, 26 Oct 2007 20:51:05 +0000 (UTC), Anonymous Sender wrote: >> http://arstechnica.com/news.ars/post...passwords.html > You do realize that none of those passwords were intercepted from > encrypted connections, right? > Simple common sense would have prevented 100% of this. I'm soooooo confused by all the details! Sorry. It seems you are saying two things here (are you?) 1. Using http://mail.yahoo.com is not safe over a Tor network (because the Tor operator gets your password every time) 2. Using https://mail.yahoo.com is safe (is it?) The whole point of this question was to ask if http(s) protected my password from recreant Tor operators. Does it or does it not?

07-11-2007, 11:57 PM	#3
Anonymous Guest Posts: n/a	Re: How safe is Tor for logging into http (nont https) web sites Joan Battaglia wrote: > On Fri, 26 Oct 2007 20:51:05 +0000 (UTC), Anonymous Sender wrote: > > >> http://arstechnica.com/news.ars/post...passwords.html > > You do realize that none of those passwords were intercepted from > > encrypted connections, right? > > Simple common sense would have prevented 100% of this. > > I'm soooooo confused by all the details! Sorry. > > It seems you are saying two things here (are you?) > 1. Using http://mail.yahoo.com is not safe over a Tor network > (because the Tor operator gets your password every time) > 2. Using https://mail.yahoo.com is safe (is it?) Yes. That is correct. > > The whole point of this question was to ask if http(s) protected my > password from recreant Tor operators. Does it or does it not? It absolutely does, as long as acceptable standards of SSL use are adhered to. And of course assuming nobody finds a hole in SSL itself. IOW, Tor has no real impact on SSL at all. It's no more vulnerable when routed through the Tor network than it is outside the Tor network.

07-11-2007, 11:57 PM	#4
Ari Guest Posts: n/a	Re: How safe is Tor for logging into http (nont https) web sites On Sun, 28 Oct 2007 10:23:23 +0100 (CET), Anonymous wrote: >> I'm soooooo confused by all the details! Sorry. >> >> It seems you are saying two things here (are you?) >> 1. Using http://mail.yahoo.com is not safe over a Tor network >> (because the Tor operator gets your password every time) >> 2. Using https://mail.yahoo.com is safe (is it?) > > Yes. That is correct. >> >> The whole point of this question was to ask if http(s) protected my >> password from recreant Tor operators. Does it or does it not? > > It absolutely does, as long as acceptable standards of SSL use are > adhered to. And of course assuming nobody finds a hole in SSL itself. And if the moons rise above the planet and giants eat Mars thinking it's a candy bar. -- "You can't trust code that you did not totally create yourself" Ken Thompson "Reflections on Trusting Trust" http://www.acm.org/classics/sep95/

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode