Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Spying On Tor 198

juct writes "The long-standing suspicion that the anonymizing network TOR is abused to catch sensitive data by Chinese, Russian, and American government agencies as well as hacking groups gets new support. Members of the Teamfurry community found TOR exit-nodes which only forward unencrypted versions of certain protocols. These peculiar configurations invite speculation as to why they are set up in this way. Another tor exit node has been caught doing MITM attacks using fake SSL certificates."
This discussion has been archived. No new comments can be posted.

Spying On Tor

Comments Filter:
  • Conclusion: (Score:3, Insightful)

    by Anonymous Coward on Wednesday November 21, 2007 @11:27AM (#21436135)
    You have to know what you're doing to have security. I know it's getting old, but plug-in security simply does not exist.
  • by TheSciBoy ( 1050166 ) on Wednesday November 21, 2007 @11:28AM (#21436137)

    This is what happens in a knee-jerk-reaction-based society. You point out a security flaw, instantly identifying yourself as a security threat, get thrown into jail and while your very public trial is going on, the real bad guys are utilizing the very security flaws you found to do Bad Things(TM).

    Good grief.

    • by Z00L00K ( 682162 ) on Wednesday November 21, 2007 @11:40AM (#21436313) Homepage Journal
      That's the normal situation - governments are permitted to do anything that's criminal for a normal citizen. As soon as you do anything is government approved or required it's no longer an issue of breaking the law. Even if it's morally wrong.

      The problem here is that the guy revealed one of the weaknesses that's utilized by governments all over the world and suddenly that leak was quenched.

    • by Frosty Piss ( 770223 ) on Wednesday November 21, 2007 @12:05PM (#21436671)
      The problem with the guy you're talking about is not that he pointed out some issues with TOR, but that he then proceeded to disclose 100's of user ID and password combos. Totally unnecessary and irresponsible.
    • by SuperBanana ( 662181 ) on Wednesday November 21, 2007 @12:21PM (#21436933)

      Is this not what that swedish hacker said?

      Is this not what anyone with a basic understanding of the most basic network/TCP concepts (ports, IP addresses, connections, that sort of thing) should have realized, if they read anything about Tor? Is this not something that the Tor project should have explained in clear language for those who do NOT have a basic understanding of networking?

      It's beyond "untrusted". It's a hostile network and blatantly so, if you bother to read even a basic description of it. You should assume that your traffic will be routed out a node where a person, organization, or government is passively monitoring or actively attacking your traffic.

      All this (repeated) fuss demonstrates is how many incompetent network/sysadmin people there are in the world, and how few people in the press and "blogging" community understand networking. Any idiot who knows ALL of the reasons why ssh is better than telnet (ie, answers more than just "it's encrypted, so people can't see what you're typing") should be able to tell you why Tor is a hostile network...unless they're just parroting what they've read elsewhere.

      • Re: (Score:3, Interesting)

        by Burz ( 138833 )
        I disagree with the overall thrust of your post.

        Tor isn't aimed at sysadmins for use as a client. You are confusing the actors and roles in your message.

        Tor client only requires a knowledge of: domains/URLs, cookies and misc browser security issues like scripts and web bugs. Network architecture isn't important (if I'm mistaken, please explain). In Firefox, keep using Tools-> Clear Private Data. With this level of knowledge you can browse 'open' sites anonymously.

        If privacy is also required, then basic k
        • Re: (Score:3, Interesting)

          by SuperBanana ( 662181 )

          Tor isn't aimed at sysadmins for use as a client. You are confusing the actors and roles in your message.

          The point of my post is that at several organizations, including apparently a bunch of embassies, someone thought it was a good idea to install this stuff. It's the fault of the sysadmins for not advising their users better or not locking down machines (embassies should have good security.) What's truly frightening is the possibility that one of them recommended it, and that's even worse.

          • by Burz ( 138833 )
            OK but, the Swede who conducted his exit-node study did not really know if those people accessing embassy systems actually belonged doing so. Hmmm...

            And yeah, recommending it for official business it just crazy. Unless-- the embassy personnel were spying in their host country.

      • There's a link on the tor homepage [torproject.org] to a set of warnings [torproject.org]; number four reads:

        Tor anonymizes the origin of your traffic, and it encrypts everything inside the Tor network, but it can't encrypt your traffic between the Tor network and its final destination. [torproject.org] If you are communicating sensitive information, you should use as much care as you would on the normal scary Internet -- use HTTPS or other end-to-end encryption and authentication.

        The link goes to an explanation saying that you should use end-to-end encryp

  • MITM (Score:5, Interesting)

    by MartinG ( 52587 ) on Wednesday November 21, 2007 @11:31AM (#21436187) Homepage Journal
    I've seen ssh MITM attempts myself with tor, but this can easily be avoided by ensuring you check your fingerprints. You do check your fingerprints, don't you?
    • Or by using private-key encryption whenever possible. Of course neither solution means anything when you're trying to use an e-commerce site with SSL. Browsers don't offer a solution for checking the security of the connection against MitM attacks.

      I find it interesting and openly malicious that encrypted protocols are blocked at some exit nodes. This may explain some intermittent problems that I've been experiencing with some of my apps that use TOR and encryption.
      • Re: (Score:3, Informative)

        by Anonymous Coward
        Huh? You make no sense. SSL is private-key encryption. Every browser I have ever touched does offer a solution for checking against MITM attacks, namely by warning if the certificate is self-signed or doesn't match the site that sent it.
        • by Valdrax ( 32670 )
          What are you talking about? SSL certificates are/contain public keys. Read more about the SSL and TLS handshaking procedure.

          Also, what happens when you visit a site that signs its own certificate? It's not that hard in doing a MitM attack to fake being that site's unique certificate. Unless you're dealing with a site that you absolutely know uses a trusted third party certificate, then you're SOL.

          Also, a government-run MitM node could very well possess a CA's private key and be able to fake legit certif
          • ...and your earlier statement that browsers have no way of checking against MITM is incredibly irresponsible. The only MITM browsers cannot warn against is where the CA is executing or cooperating in the attack.

            You either trust a third-party CA, or the communicating parties setup their own keys (preferably in person). Those are the fundamental mechanics of trust when using electronic communications, and the modern browser covers them. Need to use a "joe random" CA? Just plug it into your browser preferences
            • You either trust a third-party CA, or the communicating parties setup their own keys (preferably in person). Those are the fundamental mechanics of trust when using electronic communications, and the modern browser covers them. Need to use a "joe random" CA? Just plug it into your browser preferences. Inconvenient? Too bad, ssh is no better.

              In person? Oh, really. Just what browser implements TLS-PSK today?

              No, you're pretty much entirely stuck with the first choice -- blindly trusting a third-party CA whic
              • by Burz ( 138833 )
                You're still not making sense:

                No, you're pretty much entirely stuck with the first choice -- blindly trusting a third-party CA which can be a single point of security failure for a large number of sites. That's the problem. E-commerce requires trust where none should be assumed, especially in the case of a network like TOR that funnels all traffic into a handful of potentially compromised exit nodes.

                Who said this was about e-commerce? Under what conditions should online commerce be kept secret from the government? Or by "single point of failure" are are implying that a CA will have its private key STOLEN by private crooks?? The latter would be a really stupid assumption to make, esp since they can revoke stolen keys.

                If two or more parties want privacy without the questions an (un)trusted third-party raises, then they can distribute certificates among themselves and use Ce

                • Re: (Score:3, Interesting)

                  by Valdrax ( 32670 )
                  [1]Who said this was about e-commerce? [2]Under what conditions should online commerce be kept secret from the government? [3]Or by "single point of failure" are are implying that a CA will have its private key STOLEN by private crooks?? The latter would be a really stupid assumption to make, esp since they can revoke stolen keys.

                  (Numbers added by me)
                  1. E-commerce is the single most common use of SSL encryption.
                  2. Under any and all situations in which the government does not have a warrant.
                  3. No. By gov
                  • So does SSH. It's the server fingerprint. Much like a certificate, unless you have knowledge of what it should be prior to the connection, it's hard to know you're compromised. The problem is exacerbated by inexperienced users, but fundamentally it's the issue of trusting an unknown set of credentials.

                    No, it's not the same. Server certificates are signed by a trusted root CA; the public key for that CA is distributed out-of-band on your operating system's installation media. You can reasonably trust that w

                • Or by "single point of failure" are are implying that a CA will have its private key STOLEN by private crooks?? The latter would be a really stupid assumption to make, esp since they can revoke stolen keys.

                  Ha. Hahahahahahaha. Certificate revocation is completely useless in today's browsers. Here is one reference [amug.org] that's pretty old, but I'm sure you can find newer stuff if you actually research this.

  • Team Furry? (Score:3, Funny)

    by Odiumjunkie ( 926074 ) on Wednesday November 21, 2007 @11:32AM (#21436191) Journal
    > Members of the Teamfurry community found TOR exit-nodes which only forward unencrypted versions of certain protocols.

    Are they worried that the Chinese will intercept pictures of them dressed like this [imageshack.us]?
  • and once credibility is tainted or the finger of suspicion is pointed then nobody will trust it again. as trust is like love, in that it must be built up over a period of time - but can be destroyed in an instant.

    burp.
  • Whew. (Score:1, Funny)

    by Anonymous Coward
    It's good to know the furry community is keeping us abreast of these security concerns.
  • by athloi ( 1075845 ) on Wednesday November 21, 2007 @11:36AM (#21436253) Homepage Journal
    How does anyone expect anonymity? Traffic must somewhere go through ISPs, most of which rent their upstream from large providers like AT&T, who is surely not the only large corporation to get in bed with the government or anyone else who can pay. Enough of that information loaded into a database and compared will yield information about the suspect, even if it's too complex to explain to a "jury of your peers."

    If you want anonymity, SSH through a string of compromised Eastern European servers to a comfortably log-agnostic Indonesian ISP, and do all your surfing through Lynx/Links. That's the only stab at anonymity you'll get, and they'll probably just install a keylogger anyway. Freedom is slavery.
    • by arevos ( 659374 ) on Wednesday November 21, 2007 @12:10PM (#21436751) Homepage
      Tor gives you pretty robust anonymity, it just doesn't provide privacy.
    • How does anyone expect anonymity?

      It isn't as much as anonymity, but rather when the authorities or ISP ask "Who is Sparticus?!" everyone shouts "I am Sparticus!"

      Of course what has been happening here is that not everyone has been going along and the concept fails.

      I believe true internet anonymity can achieved if there are multiple trusted destination sources and proper encryption between them.

      As in if you encrypt your data (with a one time pad), cut it up into multiple different chunks and send it to multip
      • by Sancho ( 17056 )

        However, if enough people on the chain of blind senders/recipients decided to not follow the rules and started telling more info than the should then the ISP and or powers that be can start tracking who is who.

        I'm not sure how true that is. The recipient of the message never knows whether the previous node was the originator of the message. The government or ISP would only be able to trace the connection back to the last host that they controlled. Beyond that, they don't know whether the message originated there or at a prior node.

  • not so fresh (Score:2, Interesting)

    by cpearson ( 809811 )
    Old news is better than no news... i guess. /.ers have know that TOR exit notes where being sniffed for a while now and hackers certainly much longer than that.
    • "i guess. /.ers have know that TOR exit notes where being sniffed for a while now and hackers certainly much longer than that."

      Haha, you imply that /.ers and hackers are mutually exclusive.. ;)
  • Isn't this just pretty much a direct consequence of the nature of TOR pretty much assuming that everyone uses it the way it was intended?

    Or otherwise stated, TOR is like a flock of sheep where a wolf cannot bite down on one since they're all on some sort of merry-go-round? But a wolf could simply hop on the merry-go-round and feast?

    As the article has repeated, if you're interested in security it seems you really ought to apply your own encryption on top of TOR.

    However, even if you do that are you truly ano
    • by koehn ( 575405 ) * on Wednesday November 21, 2007 @12:45PM (#21437303)
      As the article has repeated, if you're interested in security it seems you really ought to apply your own encryption on top of TOR.

      However, even if you do that are you truly anonymous? Is there any way to determine both ends of a conversation (either email or sessions)?


      There's no way to guarantee that your communications over TOR are anonymous, and they're pretty upfront about that in the documentation. It's pretty easy for a government (or just about anybody, really) to add enough nodes to TOR to have a reasonable likelihood of being all three nodes in your conversation (entrance, middle, and exit). The nodes need to be geographically distributed, but that's easy for governments and easier for hackers, who have access to botnets of machines all over the world. Once they've got enough nodes out there, it's pretty easy to tell who's sending all that traffic, and where it's going.

      Again, adding encryption helps keep your data from being sniffed (as long as you know you're not hit by MITM, see other comments about PKI), but TOR doesn't protect your anonymity against a sophisticated (and reasonably well-funded) attacker.
  • by G4from128k ( 686170 ) on Wednesday November 21, 2007 @11:43AM (#21436379)
    Perhaps the problem is that using an anonymizer makes someone a more interesting target to authorities. Like the old adage of attacking the bank because "that's where the money is," perhaps some people are attacking Tor because "that's where the secrets are."
    • by mmcuh ( 1088773 )
      Or maybe because it's easy. Setting up an exit node and snooping on the unencrypted data coming through requires a lot less work than listening in on normal internet traffic.
  • The only problem with TOR is that it's currently mostly used for 'interresting' from an attacker's point, trafic. If TOR would be used for anything, nobody would evesdrop on the exit nodes anymore.

    BTW, it's not like your ISP won't spy on you.
  • by davejenkins ( 99111 ) <slashdot&davejenkins,com> on Wednesday November 21, 2007 @11:49AM (#21436451) Homepage
    1. set up a data-laundering haven
    2. advertise amongst the warez people and criminal element
    3. let enough criminal traffic (drug trafficking info) go through to build up trust that the laundering 'really works'
    4. Wait around for the stuff that is important (like nuclear codes or enemy state intel)
    5. ???
    6. Promoted to section chief at the invisible mansion! (Profit!)

    I don't have one lick of proof to say that our friends in Maryland or their cousins in Langley set this thing up from the beginning, other than it's an obvious slam dunk for them. I don't think the NSA is monitoring certain ports, I think they own the whole thing.
    • by dave562 ( 969951 )
      I don't have one lick of proof to say that our friends in Maryland or their cousins in Langley set this thing up from the beginning, other than it's an obvious slam dunk for them. I don't think the NSA is monitoring certain ports, I think they own the whole thing.

      You don't really need any proof. My recollection is that the author of the program admitted that he created it while under contract to US Naval Intelligence as a means of obfuscating their traffic.

    • Re: (Score:3, Interesting)

      by johannesg ( 664142 )
      I have been saying this about Google for a long time. What is the best way to know what people are thinking? Make it easy to answer their questions. What is the best way to know what they are talking about? Offer them an easy, free communication mechanism. What is the best way to know what part of the globe they are interested in? Offer them free maps...
  • Old news I know, but this once again brings up the issue of trust. I am only familiar with the TOR protocol/Onion routing at a high level, but is it possible to somehow revamp the protocol and include a trusted node-ranking system? Think slashdot style mod points applied to a TOR server. Obvious DOS attacks exist with this method, but refined a little it may work.

    Even so, I'd still try to browse using HTTPS everywhere I go. (Granted that doesn't stop people from knowing what sites you browsed...)
    • Old news I know, but this once again brings up the issue of trust. I am only familiar with the TOR protocol/Onion routing at a high level, but is it possible to somehow revamp the protocol and include a trusted node-ranking system? Think slashdot style mod points applied to a TOR server. Obvious DOS attacks exist with this method, but refined a little it may work.

      And exactly how would you know if someone is sniffing if they do not publish the results? The fact is that this is a security/anonymization s
    • Re: (Score:2, Interesting)

      by stevey ( 64018 )

      Given the number of hijacked machines taking part in the Storm worm, for example, any popularity contest could be skewed by a maliciously motivated attacker.

      The big issue with tor is that you're magnifying your exposure. By default you're vulnerable to sniffing by your ISP, and all the people they peer with till you get to your endpoint. With tor in the mix you're vulnerable to sniffing from your ISP, and any number of random people who've elected to host a tor node.

      Sure you've bounced your connection a

      • I've ALWAYS suspected, and will continue to suspect, that those discs comcast and other ISPs give to windoze and Mac users is to install a keystroke tool or some back door onto the machines.

        My fierce assertion is this: You wanna sniff my ass? DO SO AT THE DEMARC, FUCKERS.

        If I EVER open an internet cafe, I will post signs:

        "Not forced to comply with a court-ordered wiretap in [ ] days.

        "Along with a "Safe working, accident-free [ ] days..."

        "TRUST NO ONE: Assume this computer, or at least your session on it, i
  • by sammydee ( 930754 ) <seivadmas+slashd ... m ['ail' in gap]> on Wednesday November 21, 2007 @11:52AM (#21436501) Homepage
    Tor was never intended to SECURE traffic. It is an ANOMYMISER. It is designed to cope with compromised nodes and still provide military grade anonymity.

    It's important to remember that security and anonymity are different things.
    • by myvirtualid ( 851756 ) <pwwnow&gmail,com> on Wednesday November 21, 2007 @12:31PM (#21437103) Journal

      Military grade anonymity?

      What?

      Sure, we all know - or think we know - what "military grade crypto" means[1], but now you're just making stuff up.

      Military grade anonymity, indeed.

      [1] Strong crypto managed in a Type 0 or Type 1, etc., system, where everything is kept secret, hardware and software are tightly controlled, and updates are distributed strictly out-of-band - think spies with briefcases handcuffed to their wrists.

      Contrast with "commercial grade crypto", where everything but the secret/private keys themselves are known, well studied, well understood, etc., and updates are distributed in-band, though sometimes "boot strapped" using an OOB shared secret, etc.

      There is the perception that "military grade" is somehow stronger than "commercial grade", but what is the basis for this perception? None of us can say, least not here.

      To know - to really know - whether military grade crypto is actually any stronger than commercial grade crypto requires a degree of access which itself requires clearance at - or above - top secret, said clearance being predicated on the understanding that those with said access won't reveal what they know, on pain of prosecution.

      So the people who do know cannot and will not tell.

      You'll just have to take my word for it. :->

      "Military grade anonymity" is nothing more than buzzspeak for "anonymity that we think is really, really OMG PONIES good, but we can't prove, what with there being a complete and total lack of mathematically sound anonymity analytics comparable to cryptanalysis, so there, nyah!"

      • by Old Man Kensey ( 5209 ) on Wednesday November 21, 2007 @12:55PM (#21437445) Homepage

        myvirtualid wrote:

        clearance at - or above - top secret

        There is no clearance above TS, at least in the technical sense. There is TS/SCI ("special compartmented information") clearance, which may or may not include a lifestyle polygraph exam. TS/SCI and TS/SCI + lifestyle poly are not "above" TS in any real sense, they are merely additional qualifiers used as criteria to determine whether you can be allowed access to compartmented info. If you have TS/SCI it makes that process easier, but not having TS/SCI is not an absolute barrier if the right people sign off on it (although for certain information "the right people" may consist of both houses of Congress and the President).

        Compartments can be as loose (within the restrictions of TS) or as restrictive as necessary. There can be (and I understand are) compartments with only a handful of people.

        • "There is no clearance above TS, at least in the technical sense. There is TS/SCI ("special compartmented information") clearance, which may or may not include a lifestyle polygraph exam."

          You may not realize it, but that says everything you need to know about the balance of provable security vs. for-show security in the US military/government.

          It would be interesting to have a competition between the pentagon bureaucrats with their pseudoscience, versus some militia, to see which group is best at identifying
    • ...and trust isn't required with this anonymity vehicle.

      The privacy layer you supply yourself, and that requires the usual crypto-facilitated trust. As the Tor people often remind us, there is no way around that fundamental requirement.

      So the question is really, do you trust Certificate Authorities pre-loaded in your browser? And if not, what steps are you and the party you're connecting with going to take to swap private keys?

      Also bear in mind that many connections need only anonymity and not privacy, if y
  • A little reminder (Score:5, Interesting)

    by Khopesh ( 112447 ) on Wednesday November 21, 2007 @12:01PM (#21436617) Homepage Journal

    This is a little reminder that we need a lot more users and exit nodes before TOR is reasonably safe.
    This is a little reminder to encrypt your data end-to-end rather than through another network; anonymity is not security.
    This is a little reminder that you really do need to check your SSL certificates.

    TOR's encryption fools some into thinking it is a security model. It is not. TOR facilitates anonymous transactions using encryption internally. It eliminates the possibility of people spying on you by name, but it does not stop them from spying on "the people" (which includes you). You still need another encrypted transaction between you and your endpoint for real security.

    The more exit nodes there are, the less likely a snooping entity will get ahold of your data. The more users there are, the more data those snoops need to filter through to get something meaningful (caveat: statistical analysis [wikipedia.org]. workaround: encrypt data past the TOR network).

    This is a call-to-arms; everybody needs to use encryption and anonymization to enable the system to work, otherwise somebody can set up a few nets and read the whole network's content, even brute-force decrypt it due to its low volume. Take a look at what Zimmerman's justification for PGP [philzimmermann.com]:

    What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding.
    • by griffjon ( 14945 )
      Good points, all. If you're telnetting over the Internet; without having a very specific reason to do so, you're already asking for problems that no proxy is going to help you with. Now, monitoring who's trying to telnet to places using Tor I can see as generating a good list of naughty users and misinformed network admins...
  • by arevos ( 659374 ) on Wednesday November 21, 2007 @12:01PM (#21436619) Homepage
    I can't quite see how a SSL MITM attack works. Wouldn't the SSL certificate have to be registered for use with a specific domain? Could anyone explain how this would work?
    • by phantomcircuit ( 938963 ) on Wednesday November 21, 2007 @12:15PM (#21436819) Homepage
      Replace the SSL Certificate with a self signed one and hope they just click yes.
      • Granted, this'd work for most "average" computer users accustomed to clicking "OK" every few minutes. But if you're the sort of person who uses TOR, surely a bogus SSL cert would be enough to set of plenty of alarm bells. heck, I remember logging into my newly built file server at home an noticing that the SSH key had changed - cue immediate power down, reformat and analysis of all other boxes I had access to before I realised that the account I was using at the time was using ~/.ssh that hadn't been touche
  • by Nick Mathewson ( 11078 ) on Wednesday November 21, 2007 @12:06PM (#21436699)

    Hi all. I'm one of the Tor authors.

    We're trying very hard to get out the message that you should always use encrypted protocols over Tor, if you're doing anything even slightly sensitive.

    Right now, we do this in our documentation, and in a list of warnings on our download page [torproject.org]. But obviously, this isn't good enough, since some of the commenters here seem to be surprised at finding it out.

    Does anybody have good ideas about how to get the word out better?

    (As for the SSL MITM thing: we've run into situations like this one before. Usually, it turns out that the exit node isn't doing the MITM itself, but is getting MITMd itself by its upstream. This happens depressingly often in some countries, and in some dormitories. I've dropped a line to the directory authority operators Mike Perry (the guy who maintains the Torbutton firefox plugin) has been working on an automated detection tool for this stuff. It would be great if somebody with programming chops would step up and give him a hand.)

    • by Rob T Firefly ( 844560 ) on Wednesday November 21, 2007 @12:11PM (#21436781) Homepage Journal
      If you find a reliable way to make end-users RTFM, please let us know.
    • You want to automatically detect in route sniffing? Good luck with that one.

      You want to detect MITM attacks on SSL? Already been done, do not waste your time.
    • by Khopesh ( 112447 )
      Some possible solutions for TOR clients to implement:
      1. Avoid using exit nodes that prohibit encrypted content, even if using unencrypted content.
      2. Check server fingerprints (in known protocols) on multiple exit nodes.
      3. Cache server fingerprints for local and relayed traffic. If a server changed from a known CA to self-signed, throw a red flag somehow.
      4. Force all nodes (not just exit nodes) to participate in a distributed web cache proxy, whose cached objects are verified through secondary exit nodes.

      Items 1

    • What stops you from just encrypting the data by default?
      • by mibus ( 26291 )

        What stops you from just encrypting the data by default?

        Tor is encrypted, it's the protocol on top (eg. HTTP) that he's talking about.

        The solution is to use HTTPS instead of HTTP, SSH instead of telnet, etc. etc.
    • Re: (Score:3, Insightful)

      by CKW ( 409971 )
      Do a little light traffic analysis and block anything that isn't encrypted. Anything that isn't "as random" as encrypted data, and anything that has plaintext in it - block.

      The only way to get users to do something with any reliability is to FORCE them to do it, and to make everything else impossible.

      Now someone is going to scream that they really want the ability to do plain in the clear http over TOR. Fine, ship tor clients with two modes, "insecure" and "secure". Default to the latter which only uses
    • It appears that you're trying to send unencrypted content over the TOR network... Would you like to send a copy of your communications to the CIA/NSA/FSB?
  • Any router that passes your packets can be abused to spy on you and where you go. It is that simple.
  • While Tor is obviously vulnerable to a variety of attacks, I'm left to question if this is as much an attempt to discredit it as anything else? With no comparable alternative, taking down Tor would be a coup for most governments and spy agencies. Weigh that against the value they currently derive from monitoring, or even owning and controlling, exit points, and question which one benefits them more in the long run.
    • by base3 ( 539820 )
      Ding, ding, ding. At one institution I am aware of, the very study cited here was used as part of the justification for blocking TOR access from an academic network. It sounds so much better than "it's hard for our network surveillance appliances to watch what you do on the tubes when you're using TOR."
  • Encrypted Traffic? (Score:3, Insightful)

    by nurb432 ( 527695 ) on Wednesday November 21, 2007 @05:56PM (#21441443) Homepage Journal
    I thought TOR was mostly to hide your identity, not the data.

    FreeNet is more about hiding the data.

Put your Nose to the Grindstone! -- Amalgamated Plastic Surgeons and Toolmakers, Ltd.

Working...