Re: How safe is Tor for logging into http (nont https) web sites

On Sun, 28 Oct 2007 10:24:30 +0100 (CET), Anonymous wrote:

> It is confusing at first. Think of it like plastic pipe. HTTP is a
> clear pipe running from you to your destination. Anyone can see through
> the pipe and know everything that flows through it. They can also
> follow the pipe from beginning to end very easily.
>
> Tor is like a large black pipe, with a whole bunch of smaller pipes
> running inside it all exiting out the other end and going their own
> way. While your connection is inside the black pipe nobody can see it.
> Once it leaves that outer covering at the Tor exit node it's in the
> clear again. But since there's thousands upon thousands of smaller
> pipes all mixed up inside the "Tor pipe" nobody can really figure out
> which pipe belongs to which user.
>
> SSL/HTTPS is like a single black pipe running between you and your
> destination. It's trivial to follow that pipe from end to end and know
> who the source and destination are, but nothing flowing inside the pipe
> is visible.
>
> Combining Tor and SSL/HTTPS puts a bunch of black pipes inside a larger
> black pipe for a time, but then those smaller pipes still retain their
> opaque quality after leaving the Tor pipe. So you not only have the
> anonymity of hiding your connection inside a "larger pipe" mixed up with
> everyone else's, you still maintain privacy because nobody can see
> what's flowing through the connection once it leaves that collective.

Now this, makes sense!
I understand this - thank you for taking the time to explain in a manner
that can be understood by all!

Joan Battaglia wrote:

<snippage>

> Now this, makes sense!
> I understand this - thank you for taking the time to explain in a manner
> that can be understood by all!

You're quite welcome. It's my pleasure to hear that something
"clicked". :)

There's a lot more to it than colored pipes of course. It is an analogy
after all. But it's an accurate portrayal of what information can be
gleaned at critical points along the differing types of connections.

There's three basic "elements" to every internet connection in context.
The source of the connection, or you. The destination, or the site
you're visiting. And the content, or all the information moving between
source and destination. HTML, email text, images, passwords, etc.

In brief:

HTTP connections - Source, destination, and content available over the
entire connection.

HTTPS connections - Source and destination available over the entire
connection. Content obfuscated.

Tor connections: Source available prior to Tor entry node. Destination
and content unavailable. Destination and content available at exit node
and beyond, source is obfuscated (the definition of "anonymous").

HTTPS+Tor connections: Source available prior to Tor entry node.
Destination and content obfuscated. At Tor exit node and beyond source
is obfuscated by Tor, content is obfuscated by SSL, destination is
known (the definition of "anonymous and private").

Anonymity and privacy are often confused. Indeed, they can sometimes
overlap. An anonymity tool like tor can keep certain types of
information private in a number of ways. Your ISP doesn't know what web
sites you're visiting for instance. But still the two concepts are
different.

Think of privacy as a doctor/patient relationship. You trust your
doctor not to blab about that embarrassing rash he's treating you for,
but obviously he knows who you are. You have privacy, but not anonymity.

Anonymity would be you posting to an on line self help group about
having the rash in such a way that nobody knows it's you. You've made
your condition public and voluntarily given up your privacy entirely,
but since nobody knows it's really you discussing it there's "no harm
done".

Hope those analogies help crystallize things a bit further for you. :)