Silk Road forums
Discussion => Newbie discussion => Topic started by: SirNomDePlum on July 19, 2013, 11:25 am
-
Should we be worried about this at all? Plain text password sniffing from our Tor exit nodes?
From the site:
A Swedish security professional that posted the usernames and passwords for 100 e-mail accounts belonging to various nations' embassies and political parties revealed on Monday that he exploited the improper usage of the Tor network -- a distributed system of computers that anonymizes the source of network traffic -- to collect the information.
http://www.securityfocus.com/news/11486?ref=rss *Clearnet link*
http://www.smh.com.au/articles/2007/11/12/1194766589522.html?page=fullpage *Clearnet link*
The final server, known as the exit node, decrypts the data and sends the information to its destination on the Internet.
Since the exit node decrypts the data so that it can send the info to it's destination couldn't the information (such as passwords and login details) be gathered at that point?
While he controlled only five servers out of an estimated 1,000 exit nodes, he still collected a great deal of information, he added.
While encrypting communications is a necessary step on the network to ensure security, most users -- more than 90 percent, Egerstad estimates -- were browsing the Web and downloading e-mail through the network without any sort of encryption to hide their information from prying eyes.
Egerstad argued that, while his revelations may be embarrassing, others groups with less benevolent motives are also likely eavesdropping on the network. He pointed to exit nodes run by hacking groups as potential ways of getting information for identity fraud, while massive nodes located in Washington D.C. and at the Space Research Institute in Russia are possible intelligence gathering tools for the U.S. and Russian governments, respectively.
"We found this kind of information on thousands of users, some of them being Fortune 500 companies and Nasdaq and New York-noted companies," he said on his Web site. "The information we gathered is not worth millions -- it’s worth billions in the right hands."
See here as well -
http://www.tenable.com/blog/active-and-passive-tor-detection *Clearnet link*
And here -
http://news.cnet.com/8301-13739_3-9997273-46.html *Clearnet link*
Question:
How do we protect against plain text password/login detail sniffing when using Tor?
-
Use HTTPS/PGP/... or any encryption method when available.
-
Yeah, encryption pretty much takes care of that.
-
that is pretty interesting.
-
This is a good post with great information something everyone should take note about.
Mods should sticky this for Newbies!
-
I've spent days thinking about this. What's the answer for perfectly secure surfing?
-
Yes, supposedly encryption, https takes care of it (although I've seen studies that https can be spied on as well but that's a different post) but how do the users of Tor do that exactly?
This is from the site that was referenced in the first post: http://www.securityfocus.com/news/11486?ref=rss *Clearnet link*
The final server, known as the exit node, decrypts the data and sends the information to its destination on the Internet.
It's those final servers that allowed Egerstad to eavesdrop on some of the traffic that traversed the Tor network. The security professional loaded the Tor software onto three servers in Sweden, one in the U.S. and one in Asia and volunteered the systems as exit nodes.
"You download the software from the Web site, and you put in your settings," he said.
###
So ... how do you make sure your data stays encrypted when it leaves that final third exit node?
-
Hello
What a great post!Most of what I have learned came from this forum Thanks .Thanks,Thanks
-
when using sr I dont use hhtp I just type silkroadvb5piz3r.onion eeeek
-
when using sr I dont use hhtp I just type silkroadvb5piz3r.onion eeeek
No worries on onion sites. It's only clearnet and not using HTTPS.
-
when using sr I dont use hhtp I just type silkroadvb5piz3r.onion eeeek
No worries on onion sites. It's only clearnet and not using HTTPS.
Yeah. Because onion sites are hosted within the TOR network, so you don't need to connect to an exit node
-
If this were possible, it could be pretty bad.
-
You don't use exit nodes when you don't leave the TOR network. You don't leave the TOR network when you're using hidden services. Never enter a password without HTTPS (or a hidden service when using TOR) with or without using TOR. Your ISP and and the NSA can see your passwords when you login to a website without using HTTPS.
-
The truth is, many exit nodes are operated by LE, on networks controlled and forced to betray their users, both companies and home users.
Many exit nodes are not only operated by the USA Navy and other military branches, but US Homeland Security, NSA and FBI.
This is the truth, and even if one cannot prove this (it's easy to verify), you MUST assume that exit nodes are NOT trustworthy, and are sniffing everything they can get.
NEVER EVER EVER permit sensitive or even potentially sensitive cleartext traffic to cross exit nodes.
Assume they make money selling your information to LE and corporations.
-
there are quite a few sites that don't use tls/ssl. sometimes it's easy not to notice until it's too late. has happened to me on occasion. one site that has optional tls is blockchain.info. there's both a http:// and a https:// version. i only hope that at least the password is sent using tls (haven't checked the page source i suppose it can be done via javascript) even though the address bar shows http://
-
Shouldn't be a problem on the SR as explained above. My only other use of tor besides browsing this hidden service is to troll people on the net =D.
I wouldn't trust my passwords or other info while browsing clearnet sites with tor.
-
there are quite a few sites that don't use tls/ssl.
These sites are called abominations. Kill it with fire.
-
You don't use exit nodes when you don't leave the TOR network. You don't leave the TOR network when you're using hidden services. Never enter a password without HTTPS (or a hidden service when using TOR) with or without using TOR. Your ISP and and the NSA can see your passwords when you login to a website without using HTTPS.
Thanks for the clarification! That simple sentence was a huge eye-opener. From what I understand then (and from what others have posted here) it's best if you don't leave the Tor network and venture off into clearnet land while using Tor. For if one does go into clearnet land then one's cleartext can be spied upon because I am then using an exit node (because I am exiting the Tor network).
That circles back to my original question now:
So ... how do you make sure your data stays encrypted when it leaves that final third exit node?
Is there a way to connect to Tor then jump on the clearnet (while using Tor) but yet keep my cleartext protected at the same time?
Thanks for all other comments as well. Much appreciated.
-
You don't use exit nodes when you don't leave the TOR network. You don't leave the TOR network when you're using hidden services. Never enter a password without HTTPS (or a hidden service when using TOR) with or without using TOR. Your ISP and and the NSA can see your passwords when you login to a website without using HTTPS.
Thanks for the clarification! That simple sentence was a huge eye-opener. From what I understand then (and from what others have posted here) it's best if you don't leave the Tor network and venture off into clearnet land while using Tor. For if one does go into clearnet land then one's cleartext can be spied upon because I am then using an exit node (because I am exiting the Tor network).
That circles back to my original question now:
So ... how do you make sure your data stays encrypted when it leaves that final third exit node?
Is there a way to connect to Tor then jump on the clearnet (while using Tor) but yet keep my cleartext protected at the same time?
Thanks for all other comments as well. Much appreciated.
Leaving the TOR network is fine if you're not entering personal information or using SSL. Everything is encrypted when you leave the network if the site is using SSL (says HTTPS at the beginning of the URL).
-
You don't use exit nodes when you don't leave the TOR network. You don't leave the TOR network when you're using hidden services. Never enter a password without HTTPS (or a hidden service when using TOR) with or without using TOR. Your ISP and and the NSA can see your passwords when you login to a website without using HTTPS.
Thanks Jack! I don't know why but it really took a while for it to sink in that we were safe from the exit node threat while using a tor hidden service like Silk road. So this message is for others like me. An exit node is not the same as an entrance node. It's on the other end near the website you are trying to view on 'clearnet'. I thought there was an exit on both ends and was concerned about what my isp would see. If you have similar concerns, consider learning about 'bridges'. Which are basically a proxy for the purpose of disguising your tor use from local eyes. If you are in a hostile locale you might be able to use a private bridge set up by a friend, or possibly hosted on a server you set up in a friendly country which won't look suspicious for you to be connected to. Your isp can still see roughly where the bridge is, but won't know what it is, or that it's hooking you up to tor.
Hope that didn't seem like high-jacking the thread. It's the answer I was looking for out of this thread and perhaps will help others who share a similar ignorance of such things.
Porn Star OUT!!!
-
That happened in 2007 and everyone should be well aware by now that your connections are only encrypted inside the Tor network. Once they leave an exit node they are not encrypted unless you use SSL, so yeah a malicious exit node can sniff the traffic. Connections to hidden services are fully encrypted because they never leave the Tor network, they go from Tor client to Tor client.