Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.
Wow. You're claiming, AC of course, that the Canadian Mounted Police have active espionage of foreign governments. That's an interesting claim. Do go on.
by Anonymous Coward
on Tuesday September 11 2007, @01:09PM (#20558095)
Of course Embassy officials have something to hide. In fact this raises a superb example of one of the legitimate, and useful, needs for Tor. There are a lot of people, mostly in law enforcement, who'd like to see all anonymity, and especially Tor, shut down. And I'm not just referring to Communist China.
And let us not forget that Onion routing was first officially developed, and published, by the U.S. Navy back in the 90's.
Now if only Slashdot would allow me to post via lynx through Tor. "Anonymous" my butt.
It turns into a denial of service attack for that website on the tor network as a whole. Not terribly scary. Tor endpoints are just a few more open proxies, in the scheme of things.
One person already brought up the idea that it could be hackers using tor, and that they are reading the emails of the embassy officials. tor just helps them cover their tracks.
Many possible answers... But I think the most likely is that they may not be using Tor, but others already having hacked their account and those may have very good reasons trying to hide their actual locations. I think that's the most likely answer, because if the embassies are as careful as to routinely use Tor, they'd also know what encrypted e-mail is. But sure, there's the small chance they do want to hide sensitive correspondence. And actually, I hope they are trying to, for a number of reasons, so it's
...of a guy in a class I took who had packet sniffed our network, then reported my university e-mail password to me. Why? Because the university refused to enable SSL-secured POP3. A quick email reveals that, in fact, they were never planning to, and that I am just SOL.
Meh. My internet connection is inherently insecure although it's free so I don't mind too much. I use ssh to a linux server I own as a proxy for anything that I don't want read by others.
I used the same trick in high school to get around a really annoying filter. This filter would sometimes block slashdot because there were too many curses, "sexual references," or just because the random block feature was active. A quick SSH to a box outside of the school, run w3m (our connection was pretty bad, so I needed to save some bandwidth), and I have the unfiltered web.
I overcome my lack of anonymity over email by writing such inane boring tedious drivel to no one in particular so that no one in their right mind could possibly want to read... zzzzz/marvin
Not much point in that. What he should have done was sniff the admin's email password. Then send him an email with the sniffer log, from his own email address. That'll get the message through.
Don't put too much faith in SSL. Yep, even with SSL, someone can play a man in the middle attack on you.
Use PGP if it is email. But the envelope still must disclose the destination mailbox. But it could be a simple gmail account as the destination as not to give out the recipient.
IPSec is a better choice for remote services. The only thing you give up there is 2 end points and a byte count.
If it is anonymous you want, lots of subtle ways to hide messages in the Internet. More than I could count.
"Don't put too much faith in SSL. Yep, even with SSL, someone can play a man in the middle attack on you." Just tell me how do you expect to launch a MiM attack against a site I got the public key already on hand. Yeah, well, not a valid case for a USA high school where -it's commonplace, students usually reside up to ten thousand miles away from the premises.
"IPSec is a better choice for remote services."
Yessir, specially when you only can make one side agree. Surely forcing an IPSec tunnel to any single
"Try this site for the issue" Can you please explain what this has to be (a faked root authority) with my question? Remember: I *already* have the site's public key; I don't need to be confident in *any* other third party.
Even in the case from you article, remember that if your "MiM attack" strategy includes owning my box or the server, that's not a MiM attack anymore.
"It does help a little to sign your own certs and inspect them ALL the time on every use."
Wouldn't you find a little suspicious that while vi
Of course something originally designed by the US Naval Research Laboratory and then spun off to an "independent pro-privacy group" such as the EFF would have loopholes, insecurities, and unwieldly aspects of it.
One thing that doesn't make sense to me: why does Tor operate MOSTLY over primary networks with non-tor functions? Doesn't it make sense that people who rely on Tor-offered anonymity would only operate the network bound to a specific NIC, a specific router and a specific network connection, separate from their main non-anonymous one? If anonymity is that important, why even bother trying to maintain an anonymous network connection concurrent with your non-anonymous one, with both utilizing the same single-point of exit/entry?
Um. Have you ever used Tor? Did you read the article or even the summary? There is NO MENTION of any vunerabilites in Tor. You are implying that Tor is back doored or somehow otherwise vunerable. This is not the case or what happened here. The information gathering occured via sniffing of an exit router.
Indeed. This isn't a problem with TOR per se. If I'm reading the blog post correctly, the security issue he is really identifying is: "don't mix an anonymizer with identifiable actions."
Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.
However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.
Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.
The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories: 1. When browsing in a non-identifiable way, use TOR if you want anonymity. 2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.) 3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).
This is, at least, my understanding. Corrections and clarifications are welcome.
You can use it in a personally identifying way if what you want to conceal is not your identity but rather your location, or you have a need to communicate securely at your local end so that others at your end won't know where you're going.
There's a balance to be struck with anonymity and security and where you strike it depends on what aspects need to be anonymous and what other aspects need to be secure.
I'd mod you overrated, but knowing slashdot you'd be modded back up in a couple of minutes.
First of all, you didn't bother reading the article (yeah, I know, slashdot and all that). The sniffing happened at the exit nodes, which are the last nodes in the chain, which must communicate with whatever the client is trying to communicate. If the server you're trying to reach doesn't speak something encypted, tor doesn't magically make this encrypted.
Second, unless you're a complete dimwit, you know that traf
Tor uses the concept of 'onion routing' to obscure the source and destination of content passed through it. What this means is that, like an onion, content is wrapped in multiple layers of destinations and buried in the ground (or routed) until, after a delay, shoots come up (the headers are interpreted and the onion is passed to another destination) and ultimately the onion is ready to be dug out of the ground (the content reaches its destination).
Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security. That's a whole nother layer of complication, however.
Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security.
You know, not everybody likes onions. Cake! Everybody loves cakes! Cakes have layers!
...
You know what else everybody likes? Parfaits. Have you ever met a person, you say, "Let's get some parfait," they say, "Hell no, I don't like no parfait"? Parfaits are delicious.
Does that work on any web page, or does it have to be specifically enabled? How can I know if the connection is secure? And when I click a link will that also use 'https'?
SSL is not enabled by default these days as it adds quite a bit of CPU overhead on busy sites (or so I heard).
Plus, it's close to worthless without some kind of digitally signed certificate proving that your encrypted connection is talking to the website you want to be talking to...
Otherwise, that dodgy last layer of the Tor cake closest to the website could be talking SSL to your browser, and SSL to the website - but acting as a man-in-the-middle, eavesdropping on everything being said. Imaginatively, this
Maybe the Tor team should stop saying in their explanation pages that they use encryption. They should do like every company, use a near-English word, "Anonimyzation technology" maybe...
And a little warning in bold letters "Careful ! Tor provides you with anonymity, not secret of the transmission. You should still use encryption to protect your sensitive transfers."
I don't know. But it's a good idea. Monitor the unencrypted link of some encrypted traffic in order to find out sensitive information. You can kind of assume that Tor traffic will have a greater concentration of interesting stuff going on than regular internet traffic.
by Anonymous Coward
on Tuesday September 11 2007, @01:11PM (#20558173)
I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.
From TFA:
"These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about"
Also the article says the compromised organizations were warned about the risks of using Tor without encryption, and the warnings were blown off. That doesn't sound to me like any hackers were behind the Tor usage.
I would be surprised to find that this is an acceptable policy in most governments. The US government, for example, is pretty restrictive with its systems, and Tor would not be tolerated if you got caught. Sounds to me like the biggest move that needs to be made is reprimanding or firing employees, not policy.
"I would be surprised to find that this is an acceptable policy in most governments." I wouldnt. Using Tor would be a very good way to protect various government activities where they dont want anyone to trace sources and destinations. Think infiltrations of web communities, avoiding host-country snooping on various activities, avoiding geographic tracing for field personell, etc.
As TFA noted, it _is_ policy for various governments specific personell. And it probably works very well against the specific thre
E.g. the CIA could have used Tor to hide that it was them making bizarre edits to the Wiki page about the Pope (poss. to communicate secret code messages to undercover agents in the field--spookipedia).
If governments and embassies are using it then it's likely the system is relatively secure. What's likely to have happened is the Tor code was audited by said government(s) and found to be legit. Then the clueless diplomats were told "Hey, we've setup an anonymous browsing system for you. Browse away." Then the said diplomats go out and start browsing, thinking they're completely secure (i.e. don't need encryption, it's anonymous right?) The rest is history. I wonder about the intelligence of sniffing Tor ex
As long as you kept your mouth shut, how would they know? I mean, it works the way it's supposed to... You could gather all kinds of interesting info and no one would have any reason to know you sniffed it...
In fact, it might be pretty scary seeing what's coming in/ going out a Tor exit node. Think of who might use Tor besides clueless diplomats?
I thought it was common knowledge that most exit routes were owned by the very people, people think they need to keep secrets from.
Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts... but then again I grew up in Canada, not Bosnia or whatever:-)
Someone who sits between sender and recepient who exchange unencrypted data can sniff it? Impossible! Stunning news!
Which reminds me,/. should implement irony tags.
Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.
I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!
It does, 'hestavius tempus malarum lipsum' is a Latin phrase meaning 'irony'. If you check the page source you can find the tag and/tag in initialism form, like RSVP.
The problem here is not that people are using Tor, the problem is that many services use unencrypted connections and unencrypted passwords. Tor is merely a convenient way of exposing this, but the problem would exist even without Tor.
So, don't blame Tor, blame service providers that use unencrypted authentication, and blame people using these kinds of services.
Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.
That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.
Raising the question... (Score:3, Interesting)
Re: (Score:3, Informative)
Re: (Score:2)
Legitimizes Tor (Score:4, Insightful)
And let us not forget that Onion routing was first officially developed, and published, by the U.S. Navy back in the 90's.
Now if only Slashdot would allow me to post via lynx through Tor. "Anonymous" my butt.
Parent
So block the exit nodes. (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
But sure, there's the small chance they do want to hide sensitive correspondence. And actually, I hope they are trying to, for a number of reasons, so it's
This reminds me... (Score:5, Interesting)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:3, Informative)
Assuming, of course, you had access to openssh.
Re: (Score:3, Funny)
Re:This reminds me... (Score:4, Informative)
Parent
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Don't put too much faith in SSL. Yep, even with SSL, someone can play a man in the middle attack on you.
Use PGP if it is email. But the envelope still must disclose the destination mailbox. But it could be a simple gmail account as the destination as not to give out the recipient.
IPSec is a better choice for remote services. The only thing you give up there is 2 end points and a byte count.
If it is anonymous you want, lots of subtle ways to hide messages in the Internet. More than I could count.
Re: (Score:3, Informative)
Just tell me how do you expect to launch a MiM attack against a site I got the public key already on hand. Yeah, well, not a valid case for a USA high school where -it's commonplace, students usually reside up to ten thousand miles away from the premises.
"IPSec is a better choice for remote services."
Yessir, specially when you only can make one side agree. Surely forcing an IPSec tunnel to any single
Re: (Score:3, Insightful)
Can you please explain what this has to be (a faked root authority) with my question? Remember: I *already* have the site's public key; I don't need to be confident in *any* other third party.
Even in the case from you article, remember that if your "MiM attack" strategy includes owning my box or the server, that's not a MiM attack anymore.
"It does help a little to sign your own certs and inspect them ALL the time on every use."
Wouldn't you find a little suspicious that while vi
Heh (Score:3, Funny)
One thing that doesn't make sense to me: why does Tor operate MOSTLY over primary networks with non-tor functions? Doesn't it make sense that people who rely on Tor-offered anonymity would only operate the network bound to a specific NIC, a specific router and a specific network connection, separate from their main non-anonymous one? If anonymity is that important, why even bother trying to maintain an anonymous network connection concurrent with your non-anonymous one, with both utilizing the same single-point of exit/entry?
Doesn't make sense.
Re: (Score:3, Informative)
Re:Heh (Score:5, Informative)
Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.
However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.
Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.
The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories:
1. When browsing in a non-identifiable way, use TOR if you want anonymity.
2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.)
3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).
This is, at least, my understanding. Corrections and clarifications are welcome.
Parent
Re:Heh (Score:5, Informative)
There's a balance to be struck with anonymity and security and where you strike it depends on what aspects need to be anonymous and what other aspects need to be secure.
Parent
Re: (Score:2)
I'd mod you overrated, but knowing slashdot you'd be modded back up in a couple of minutes.
First of all, you didn't bother reading the article (yeah, I know, slashdot and all that). The sniffing happened at the exit nodes, which are the last nodes in the chain, which must communicate with whatever the client is trying to communicate. If the server you're trying to reach doesn't speak something encypted, tor doesn't magically make this encrypted.
Second, unless you're a complete dimwit, you know that traf
Unencrypted traffic is always unencrypted (Score:5, Funny)
eknagy
Encryption is difficult for laypersons. (Score:4, Interesting)
Tor uses the concept of 'onion routing' to obscure the source and destination of content passed through it. What this means is that, like an onion, content is wrapped in multiple layers of destinations and buried in the ground (or routed) until, after a delay, shoots come up (the headers are interpreted and the onion is passed to another destination) and ultimately the onion is ready to be dug out of the ground (the content reaches its destination).
Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security. That's a whole nother layer of complication, however.
apples and onions (Score:3, Funny)
Re:Encryption is difficult for laypersons. (Score:5, Funny)
You know, not everybody likes onions. Cake! Everybody loves cakes! Cakes have layers!
You know what else everybody likes? Parfaits. Have you ever met a person, you say, "Let's get some parfait," they say, "Hell no, I don't like no parfait"? Parfaits are delicious.
Parent
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Plus, it's close to worthless without some kind of digitally signed certificate proving that your encrypted connection is talking to the website you want to be talking to...
Otherwise, that dodgy last layer of the Tor cake closest to the website could be talking SSL to your browser, and SSL to the website - but acting as a man-in-the-middle, eavesdropping on everything being said. Imaginatively, this
Re: (Score:2)
And a little warning in bold letters "Careful ! Tor provides you with anonymity, not secret of the transmission. You should still use encryption to protect your sensitive transfers."
Is it still called a man-in-the middle attack (Score:5, Interesting)
Re: (Score:2)
Lo dudo (Score:5, Insightful)
-AC
Re: (Score:2)
"These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about"
Also the article says the compromised organizations were warned about the risks of using Tor without encryption, and the warnings were blown off. That doesn't sound to me like any hackers were behind the Tor usage.
Why are they using Tor? (Score:2)
Re: (Score:2)
I wouldnt. Using Tor would be a very good way to protect various government activities where they dont want anyone to trace sources and destinations. Think infiltrations of web communities, avoiding host-country snooping on various activities, avoiding geographic tracing for field personell, etc.
As TFA noted, it _is_ policy for various governments specific personell. And it probably works very well against the specific thre
Re: (Score:2)
Why not a VPN using SSH back to the home country and then out from there?
Re: (Score:2)
This proves securty. (Score:2, Insightful)
I wonder about the intelligence of sniffing Tor ex
Re: (Score:2)
In fact, it might be pretty scary seeing what's coming in/ going out a Tor exit node. Think of who might use Tor besides clueless diplomats?
and? (Score:3, Informative)
Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts
The summaries don't add much? (Score:2)
What? No! Can't be! Impossible! (Score:5, Insightful)
Which reminds me,
Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.
I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!
Sometimes I really wonder...
Re: (Score:3, Informative)
Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal?
I don't think the guy was billing it as some major technical achievement. The news is the sensitivity of the traffic.
Re: (Score:2)
It does, 'hestavius tempus malarum lipsum' is a Latin phrase meaning 'irony'. If you check the page source you can find the tag and
-
don't blame Tor (Score:2)
So, don't blame Tor, blame service providers that use unencrypted authentication, and blame people using these kinds of services.
That's exactly what he did. (Score:5, Insightful)
That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.
Parent
Re: (Score:2)
Re: (Score:2)