Re: How safe is Tor for logging into http (nont https) web sites
am 27.10.2007 23:24:17 von Joan BattagliaOn Fri, 26 Oct 2007 03:35:03 -0500, VanguardLH wrote:
> you have to trust the proxy doesn't intercept your SSL
> request and won't pretend to be the target site.
I routinely accept those "certificate" things.
Even when I "view" them, I don't know what I'm viewing.
Is there something to look for to ensure it's the mail site's certificate
and not the rogue Tor's certificate?
WHat would I look for as a clue that the certificate is bad?
>> When I log into an https email web page, I assume my password is
>> protected from snoopers on the Tor network itself.
>> But - what about if I have to log into a web page that does
>> not have an https encrypted login method? Is Tor now compromised?
>> Am I now sending my password in the clear to a Tor server
>> Is my password still secure when logging into an http account with
>> Tor/Privoxy running?
>
> Since you are now using a proxy, and because the proxy can pretend to
> be the target site, and because the proxy could establish the SSL
> connect with you and then an SSL connect to the target site (so both
> use SSL but not directly to each other), now you have to trust the
> proxy doesn't intercept your SSL request and won't pretend to be the
> target site. Do you really trust Tor with you bank login? Do you
> know what Tor proxy you are using and who operates it? Anything
> between you and the target site can be an interceptor SSL proxy but
> there's less chance it will be your ISP or the backbone that they use.
> With Tor, well, who knows who is running each of its peer hosts. The
> Tor servers are ran by volunteers, not by your ISP or your bank. As I
> recall, a bluecoat proxy can do SSL interception.
>
> http://arstechnica.com/news.ars/post/20070910-security-exper t-used-tor-to-collect-government-e-mail-passwords.html
>
> It suggests using encryption (SSL); however, that still doesn't
> prevent the Tor server user from intercepting. You get anonymity, not
> necessarily security, with P2P networks. However, even if there were
> no such interception, using SSL means the target knows the source.
> With P2P, there are more unknown hosts you pass through, more chances
> for man-in-the-middle attacks.
>
> http://xiandos.info/Tor