Re: How safe is Tor for logging into http (nont https) web sites

#1 (**permalink**) 10-27-2007, 09:24 PM

On Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:

> you have to trust the proxy doesn't intercept your SSL
> request and won't pretend to be the target site.

I routinely accept those "certificate" things.
Even when I "view" them, I don't know what I'm viewing.
Is there something to look for to ensure it's the mail site's certificate
and not the rogue Tor's certificate?

WHat would I look for as a clue that the certificate is bad?

>> When I log into an https email web page, I assume my password is
>> protected from snoopers on the Tor network itself.
>> But - what about if I have to log into a web page that does
>> not have an https encrypted login method? Is Tor now compromised?
>> Am I now sending my password in the clear to a Tor server
>> Is my password still secure when logging into an http account with
>> Tor/Privoxy running?
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site. Do you really trust Tor with you bank login? Do you
> know what Tor proxy you are using and who operates it? Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post...passwords.html
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting. You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.
>
> http://xiandos.info/Tor

#2 (**permalink**) 10-28-2007, 06:07 PM

On Sat, 27 Oct 2007 14:24:17 -0700, Joan Battaglia wrote:

> I routinely accept those "certificate" things.
> Even when I "view" them, I don't know what I'm viewing.
> Is there something to look for to ensure it's the mail site's certificate
> and not the rogue Tor's certificate?
>
> WHat would I look for as a clue that the certificate is bad?

Anyone else care to explain how relaible Tor, HTTPS or any other
protocols, routing procedures or other such "security" and "anonymity"
is in *real world sitchs*?

Joan, Honey,

www.cotse.com

Turn it over to Stephen and the Cotse crew.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

#3 (**permalink**) 10-28-2007, 10:03 PM

Ari wrote:

> On Sat, 27 Oct 2007 14:24:17 -0700, Joan Battaglia wrote:
>
>> I routinely accept those "certificate" things.
>> Even when I "view" them, I don't know what I'm viewing.
>> Is there something to look for to ensure it's the mail site's certificate
>> and not the rogue Tor's certificate?
>>
>> WHat would I look for as a clue that the certificate is bad?
>
> Anyone else care to explain how relaible Tor, HTTPS or any other
> protocols, routing procedures or other such "security" and "anonymity"
> is in *real world sitchs*?

Typically it's a PEBKAC problem. If the software asks you "Are you sure?"
and you're simply not sure, then be honest and click "No.". Might be that
the intended process stop working then, but don't use it an excuse to pres
"Yes" next time.

At any rate, a research team of Berkeley found that phishing attacks works
so well and defense against works so bad because most people aren't even
reading the URLs. Yes, exactly, they have no clue where they're browsing,
blinding assuming that website designs couldn't be copied and thus
identifying websites by design. It's purely a PEBKAC problem, since the
users decided to ignore the minimum required knowledge, fully accepting the
possibility that they would be unable to make judged decisions.