Tor Used To Collect Embassy Email Passwords 99
Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.
Re:Raising the question... (Score:3, Informative)
Re:Heh (Score:3, Informative)
and? (Score:3, Informative)
Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts
Re:This reminds me... (Score:4, Informative)
Re:Heh (Score:5, Informative)
Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.
However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.
Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.
The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories:
1. When browsing in a non-identifiable way, use TOR if you want anonymity.
2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.)
3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).
This is, at least, my understanding. Corrections and clarifications are welcome.
Re:This reminds me... (Score:3, Informative)
Assuming, of course, you had access to openssh.
Re:Heh (Score:5, Informative)
There's a balance to be struck with anonymity and security and where you strike it depends on what aspects need to be anonymous and what other aspects need to be secure.
Re:What? No! Can't be! Impossible! (Score:3, Informative)
Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal?
I don't think the guy was billing it as some major technical achievement. The news is the sensitivity of the traffic.
Re:This reminds me... (Score:3, Informative)
Just tell me how do you expect to launch a MiM attack against a site I got the public key already on hand. Yeah, well, not a valid case for a USA high school where -it's commonplace, students usually reside up to ten thousand miles away from the premises.
"IPSec is a better choice for remote services."
Yessir, specially when you only can make one side agree. Surely forcing an IPSec tunnel to any single student that wants just to download her e-mail from the school server is the proper, mensurated, well engineered solution for the problem. Just using POP3S? Naaah!
Re:Raising the question... (Score:1, Informative)
I doubt it. Decades ago it would have been the RCMP, but today that falls under the domain of the Communications Security Establishment, not the RCMP.
The CSE is Canada's version of the NSA. Betcha didn't know that! We're like a grown-up country after all!