How safe is Tor for logging into http (nont https) web sites

Discussion in 'Spyware' started by Joan Battaglia, Oct 26, 2007.

  1. Thanks to you all, I was able to install Tor/Vidalia/Privoxy freeware for
    anonymous web browsing.

    When I log into an https email web page, I assume my password is protected
    from snoopers on the Tor network itself. That is, I assume the https
    encryption prevents a rogue Tor server itself from seeing my password.

    But - what about if I have to log into a web page that does not have an
    https encrypted login method? Is Tor now compromised? Am I now sending my
    password in the clear to a Tor server which "could" be a rogue Tor server?

    Is my password still secure when logging into an http account with
    Tor/Privoxy running?
     
    Joan Battaglia, Oct 26, 2007
    #1
    1. Advertisements

  2. Secure is relative.
     
    Krazee Brenda, Oct 26, 2007
    #2
    1. Advertisements

  3. Joan Battaglia

    VanguardLH Guest

    in message

    Since you are now using a proxy, and because the proxy can pretend to
    be the target site, and because the proxy could establish the SSL
    connect with you and then an SSL connect to the target site (so both
    use SSL but not directly to each other), now you have to trust the
    proxy doesn't intercept your SSL request and won't pretend to be the
    target site. Do you really trust Tor with you bank login? Do you
    know what Tor proxy you are using and who operates it? Anything
    between you and the target site can be an interceptor SSL proxy but
    there's less chance it will be your ISP or the backbone that they use.
    With Tor, well, who knows who is running each of its peer hosts. The
    Tor servers are ran by volunteers, not by your ISP or your bank. As I
    recall, a bluecoat proxy can do SSL interception.

    http://arstechnica.com/news.ars/post/20070910-security-expert-used-tor-to-collect-government-e-mail-passwords.html

    It suggests using encryption (SSL); however, that still doesn't
    prevent the Tor server user from intercepting. You get anonymity, not
    necessarily security, with P2P networks. However, even if there were
    no such interception, using SSL means the target knows the source.
    With P2P, there are more unknown hosts you pass through, more chances
    for man-in-the-middle attacks.

    http://xiandos.info/Tor
     
    VanguardLH, Oct 26, 2007
    #3
  4. You're wrong about that. As long as you haven't borked up your security
    settings and told your browser to not warn you about bad/changed SSL
    certificates you're fine. Tor is no different than any other encrypted
    connection. SSL will encrypt your passwords and such end to end unless
    you break it somehow. And it IS up to you to pay attention, whether or
    not you're using Tor.
    Maybe by some yardsticks and in context, but there's still definably
    good security, and nonexistent security. Tor is the former as long as
    you understand it and use it properly.
     
    Anonymous Sender, Oct 26, 2007
    #4
  5. Joan Battaglia

    Sulasno Guest

    never use Tor for internet banking
     
    Sulasno, Oct 26, 2007
    #5
  6. Joan Battaglia

    Aaron Guest

    Eh. That doesn't work. If it "pretends to be the target site", the
    certificate won't match up. Right?
     
    Aaron, Oct 26, 2007
    #6
  7. As long as you haven't tried to cross an Interstate at rush hour, you'll
    be safe too.

    Illogicware
     
    Krazee Brenda, Oct 26, 2007
    #7
  8. Security is lightswitchware. On or none.
     
    Krazee Brenda, Oct 26, 2007
    #8
  9. Tel that to Mr. Anonymous, the Knower Of All Things
     
    Krazee Brenda, Oct 26, 2007
    #9
  10. Joan Battaglia

    Doctor Who Guest

    Tor offers anonymity, but if the last Tor node is malicious it could read non
    encypted data, meaning HTTP, for example. With HTTPS your browser
    should be set to alert you if therer is a change of certificate.

    I would strongly urge you never to use Tor for login to your Bank account.
    Pretty pointless in most cases as they already know you. Different, of course
    if you have a secret overseas account, ahem. . .

    VanguardLH has pretty much covered most of your points.
     
    Doctor Who, Oct 26, 2007
    #10
  11. No, you do not. If you have the certificate for a given site installed
    on your machine, and don't turn off basic security, you'll get errors
    and dialogs galore if a Tor node tried to launch a monkey in the middle
    attack.
    No. Nor do I trust my ISP, their ISP, a backbone ISP, my bank's ISP.
    or anyone else with my bank login. I don't even particularly trust my
    bank site itself to be real honest, but I have no choice. The rest,
    though, I can remove from the loop by using strong encryption.

    Do you traceroute your connection to your bank so that you know every
    hop between you and there, then research who runs those?
    Why? Are you suggesting that ISP's and backbone providers are immune to
    hiring bad people, or that bad people are somehow lacking some quality
    that allows them to work along the backbone?

    Would you be surprised to discover that by some definitions of "bad"
    that ISP and/or backbone provider isn't only the more logical choice
    for a point of attack, it's almost necessary?

    You do realize that *none* of those passwords were intercepted from
    encrypted connections, right?

    Simple common sense would have prevented 100% of this.
    Yes. It does.
    No, it does not. The connection is still anonymous of made through the
    Tor network.
    "Tor does not prevent you, or the software programs you are using, from
    giving the other site of the anonymous TCP-stream information which
    compromises your anonymity."

    "Never enter passwords over unencrypted Tor-connections, only send
    passwords and other information over https connections (This applies to
    all Internet usage, not only Tor)."

    That pretty much sums it up. :)
     
    Anonymous Sender, Oct 26, 2007
    #11
  12. Nonsensical gibberish. Considering the fact that there's no such thing
    as perfect security your theory crumbles on principal alone. And any
    real student of secure methods can tell you that security is a proper
    application of resources to a given situation, not a one size fits all
    blanket you can throw over something to guarantee it stays warm in all
    weather.
     
    Anonymous Sender, Oct 26, 2007
    #12
  13. By their very nature P2P networks aren't susceptible to MITM attacks.
    There's no need of course because there's nothing to learn that's not
    public knowledge, but more to the point at hand nothing is relayed past
    that second "P". That's why they're called "points". :)
    There's a lot of ignorance and outright FUD regarding security being
    perpetrated by people who know very little about it. Those of us who
    actually have studied the subject in depth simply like to set the
    record straight.

    If that upsets you it speaks more to your particular level of education
    than mental state than anything else.

    Is it safe to trust your bank account to a Tor node operator? Of course
    not. That's just a blatantly silly question. You shouldn't trust anyone
    with that sort of information. Using Tor to access your bank account is
    irrelevant in most applications anyway. Your bank knows who you are
    already by your login.

    Still, there are conceivable situations where Tor and banks together
    can be useful. The "Chinese dissident" scenario, where an oppressive
    regime even knowing you're managing funds outside their control might
    cause you much grief. For that application Tor is ideal. It masks both
    what you're doing and where you're doing it at from anyone on your end
    of the Tor network. And your identity from observers on the other end.
    To secure the actual information you're transferring you need to encrypt
    the connection end to end, but that's a hard fact regardless of whether
    Tor is in the mix or not.

    Tor and SSL are to completely different tools for two completely
    different jobs. Sometimes they compliment each other, sometimes they're
    irrlevant to each other, and yes, sometimes they can even oppose each
    other. It's up to the user to learn the mostly simple principals that
    allow them to recognize which tool is best suited to which job, and
    avoid the pitfalls of using the wrong tool.
     
    Anonymous Sender, Oct 26, 2007
    #13
  14. Joan Battaglia

    VanguardLH Guest


    The interceptor gives you THEIR certificate, not the one at the target
    site that you meant to hit. Anyone can be a CA for their own certs.
    Companies do it all the time because they don't want to keep paying
    outside parties for them; i.e., they operate their own internal or
    private CA which validates their own certs (they have their own
    certificate server). They use self-signed certs. Even the root CAs
    are self-signed but then they are supposed to be the public trusted
    CAs. So you intend to go to domainA.com but go through a proxy ran by
    an unknown. They give you a cert that says it is for domainA. Who is
    the CA (certificate authority) for the cert? It's the CA specified in
    the cert. The CA is [supposed to be] a trusted 3rd party. So you get
    a cert from them that says they are the CA so they validate their own
    cert; i.e., they are their own certifier for the cert they gave you.
    Since the CA is the only one that can validate a cert, you or your
    apps don't head off to some other CA because they weren't the one that
    issued the cert. The design of SSL and the PKI places the
    responsibility on the end user to verify the correctness of their set
    of trusted certificates. How many users run certmgr.msc or otherwise
    look at the properties of the cert they got proffered to see the
    hierarchy of CAs specified by the cert? Would it matter if they saw
    the hierarchy for a self-signed cert where the issuer used some other
    name as the CA? How many users get a cert warning from their browser
    but ignore it (because the site used a cert for one of their other
    domains or it expired, so users get used to ignoring those alerts).

    SSL interception proxy. They exist. Some are used to interrogate the
    content of your traffic to determine if it is appropriate for the
    company. Well, they can't look at the content unless they did the
    man-in-the-middle interception. They don't bother to decrypt your
    traffic. They just intercept it by making you think they were the
    target you intended to hit. Can SSL be subverted by clever criminals?
    "If you're talking about a scenario where they spoof a Web site, the
    answer is yes," said Tim Callan, Group Product Marketing Manager for
    VeriSign.

    As pointed out, any node in your path to the SSL target site could do
    the interception. I'm saying that with Tor that you are traversing
    nodes operated by unknown owners and probably across multiple
    countries, several of which have no reciprocity laws regarding fraud.
    You might not know who owns all the nodes in a normal route to your
    site but it is a good bet that they can be discovered versus the
    anonymity of Tor operators. With spoof sites using SSL, and since no
    one has to register to authenticate their identify to be a Tor
    operator, why wouldn't these same defrauding users also operate a Tor
    point?

    Don't trust your bank accounts, online buying, PayPal, login
    passwords, or any other privacy data over Tor. What you send to the
    target site is obviously available to a Tor operator, too.
     
    VanguardLH, Oct 27, 2007
    #14
  15. Joan Battaglia

    Anonymous Guest

    A pretty good analogy. I'll put it into proper perspective for you...

    Crossing the freeway at rush hour demands willful action and
    abandonment of common sense. There's prescribed crossing points called
    traffic lights, and in most jurisdictions not using them is actually
    punishable by a fine.

    Likewise default browser settings, which all warn you about forged and
    broken SSL certificates. You have to purposefully do something like
    click past several dialogs warning you about your bad decisions, adopt a
    policy of not paying any attention to the warnings, or "wander
    aimlessly out into the busy street", if you wish. :)

    IOW, in both scenarios the real danger is the person doing something
    wantonly stupid. That's why foot traffic is prohibited on major
    thruways in fact... to protect stupid people from themselves. I don't
    know if that philosophy scales to browser settings though. ;-)
     
    Anonymous, Oct 27, 2007
    #15
  16. <snip>

    That's the whole point. That's WHY the certs don't match up and WHY Tor
    nodes (or anyone else) trying to launch MITM attacks fail. Signatures
    and CA's are meaningless at that point. Unless you cripple your own
    software you get big honking errors.

    Why do you think SSL exists in the first place for God's sake?
     
    Anonymous Sender, Oct 27, 2007
    #16
  17. You're missing the point completely, and/or don't know much about
    SSL.Your entire treatise is built on several false assumptions.

    Yes, sites can sign their own certificates. They can eve use unsigned
    certificates. What you're apparently unaware of is the fact that if a
    certificate is not signed by a previously trusted authority it causes
    browsers to complain. Some even refuse to allow you to install unsigned
    certificates so they complain repeatedly.

    Browsers also pitch a fit if a certificate changes. Depending on the
    browser and version they make accepting new certificates a real hassle
    in fact. So even if an evil Tor node were to manage to buy a
    certificate in the name of your bank with a CA endorsement (which would
    require circumventing the verification process), you'd know about it
    instantly.

    I suggest that you do some actual research on SSL itself instead of
    reading gloom and doom reports of how Tor nodes can break SSL. It's not
    nearly as easy as you seem to believe it is.
    SSL also has a built in mechanism for detecting certificates that don't
    match the domain you're visiting. Browsers issue "doesn't match"
    warnings, and typically state one possible cause of the error being
    someone trying to "spoof" some other site.
    Unless you specifically turn it off, ALL users do this. That's what the
    security settings are there for. As long as you don't mess with things
    you don't understand or willfully put yourself in an insecure position,
    none of the attacks you claim to exist can work. Period. SSL is just
    "better than that" after years and years of development.
    Complete nonsense. Without decrypting traffic there's no way in hell
    they can present a user with meaningful content. No way to make a user
    believe anything at all.
    He also said this...

    "If every Internet user in the world had a browser that recognized the
    difference between High Assurance SSL Certificates and traditional ones
    and if every legitimate site used a High Assurance certificate, then
    phishing as we know it today would essentially be eliminated."

    This recognizes the fact that SSL is impervious to the sort of things
    you're describing when used properly. As people have been saying.
    Irrelevant. For one, you have no way of knowing whether or not your
    "normal" connection traverses those same geographic borders. The nature
    of the net means connections are often bounced globally.
    Tor operators are NOT anonymous. What ever gave you the impression that
    they are? Truth is, they're far more visible than a hop in the routing
    of a "normal" connection, and not nearly as transient.
    Baloney. There's perfectly good reasons for conducting sensitive
    business through Tor, in fact certain scenarios within that context are
    the reasons Tor exists in teh first place. And there's secure ways of
    doing just that. All you need to do is learn some basics, and pay
    attention to any warnigns or errors you get.
     
    Anonymous Sender, Oct 27, 2007
    #17
  18. Joan Battaglia

    Ari Guest

    No one knows who you are by any login. All anyone knows is that someone, or
    thing, has logged in. Period.

    What an oxymoronic thing for you to say. Mr. Anonymous. lol
     
    Ari, Oct 27, 2007
    #18
  19. Joan Battaglia

    Ari Guest

    I don't get upset when Know-It-Alls know less than much. Humored? Now
    that's another discussion.

    So here how this works out. I actually deal on a daily basis with those
    things you expound to have studied. Let's see here. Which is better? A med
    student with an over-inflated value of his bookworms or the medical doctor
    who actually sees patients?

    I don't know. Help?
     
    Ari, Oct 27, 2007
    #19
  20. Joan Battaglia

    Anonymous Guest

    You don't deal with squat. You're a common Usenet troll who has
    demonstrated time and time again that you know absolutely nothing at
    all about computer security, encryption, or networking. Your mistakes
    and erroneous assertions are those of a clueless rube, and your
    fantasies about being some sort of "professional" are bald faced lies.
    You definitely need some if you believe you're functioning at some
    sort of doctoral level here.
     
    Anonymous, Oct 27, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.