how-to block ads
|
|  
texaslonghorn
 from:
antdude 
| Re: Anonymnity: Introduction To The Tor Network New tool? Where have you been? | |
| | jakoe420
join:2003-09-05
Knoxville, TN
clubs:
| I just installed Tor along with Privoxy, as recommended on Tor's website and haven't noticed any slowdown at all with browsing or Bit Torrent. And various privacy checks online have confirmed that my visible IP address is different than what it really is. So, I assume it is all in order? Anybody else use this? | |
| 
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| They say its a series of routers but what it realy is is a bunch of proxies. Saying its distributed simply means its the same as all distributed computing. Many of these proxies will be running on peoples computers. Many of these people will be on slow connections and or computers loaded down with spyware and various other nasties. Again its the same deal it says encrypted well thats great. But heres the problem soem one will create a custom tor server and will then be able to do exactly what ive been saying about proxies for the last 4 or 5 years. And that is capture your log in information etc. Do not use this thing as a meathod for adding security to your computer and connection in the end you will be very insecure. Ive seen proxies used to steel personal information useing a non expireing cached page that had been modified. It was not long ago that i created a POC page to test and see if it did infact work. With out any special codeing and very little coding of my own i was able to make a simple web page that looked just like a legit login page. This page when information was filled in logged you in (a test hotmail account) but at tthe same time it emailed me the log in information for the account. The page was a copy paste job nothing more. A identify theif needs to know very little in the way of createing a website to pull this off. They need 3 thing
1 target bank paypal etc login page
2 to find a contact us page that uses email
3 a proxy server with cacheing capabilies
To set it up they make the cache in the proxy non expireing copy paste the html from the contact us page in to the log in page and drop the login page to cache of the proxy.
and oh yeh 4 a person to forget to not use a proxy when going to the site(s) they targeted or some one foolish enough to think the proxy makes them more secure.
This is not something that was just done by me as a POC but realy did happen and i was involved in trying to find out how it was doen. It took me a little more than 5 or 6 hours to find out how it was done and recreate and prove it was possible. My web dev knowlage is very out of date. The last web site i hand coded was in late 96 early 97.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network Now there are very legitimate and good uses for proxies.
Say your a exchange student from a asian country (take your pic for my example it dont matter) (i bet we have a few exchange students on these boards ither from asia or in asia).
As a echange student you need to go to your schools site daily. But your connection is very slow to it 3 secound ping times .5kb and its very painful to go there. Well connection to asia are very slow when your last hop is on the eastern or western coast of the us but when tyhey go out the gulf they are much quicker say 250 ms and 60 to 80KB. So what you want to do is find a proxy in texas or the gulf area. This will help to make sure your connection goes out through the gulf. For exchange students in the asian countries needing to access sites here you could use the same proxy as the exchange student in the us entering the us from the gulf.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| 
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs:
1 edit | Tor has been around for a couple of years. I read a paper a while back talking about how it was going to huge security problems for network admins. I will have to see if I can find it. | |
| | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network said by Daniel :Anyone doubting the legitimate uses of anonymous proxies needs to think about the legitimate uses of encryption as well. Just because something is likely going to also be used for nefarious purposes, doesn't make it inherently evil. Go read about the EFF if you're confused as to what the purpose of this network is. It's not some network for script kiddies or terrorists; it's a network designed to allow for increased privacy on the Internet. Whether those two end up mixing or not isn't a valid argument against the project. I mean, the obvious answer here is to not allow the public to have anything that can be used as a weapon. Heading down that path, however, will take us precisely where we don't need to be as a society. Im not even talking about illegal uses for tor by those who might use it. Im talking about a script kiddie makeing a hacked version of tor to steel personal information and why no proxies should ever be used to transmit information that is secure. This includes banking info cc numbers log i info etc. As for getting by ip bans etc useing a proxy thats very easy to stop. Scan common proxy ports on all incoming connections and refuse the connection if one of those ports are open. IRC servers commonly do this and will auto gline any such ips. Some web servers have this functionality as well.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | 
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Anonymnity: Introduction To The Tor Network said by novaflare :Im talking about a script kiddie makeing a hacked version of tor to steel personal information and why no proxies should ever be used to transmit information that is secure. A hacked version of Tor? Tor is two things, software loaded onto a user's system that lets them use the network, and the network itself. If you propose that a cracker could write the former, then they still have to install it. If they can install it, then why not just install a rootkit? I'll assume you know why they can't make another version of the network.
said by novaflare :This includes banking info cc numbers log i info etc. Use SSL for that. This project deals with hiding your source IP; it has nothing to do with the confidentiality of the data being moved. said by novaflare :As for getting by ip bans etc useing a proxy thats very easy to stop. Scan common proxy ports on all incoming connections and refuse the connection if one of those ports are open. And what if the server is firewalled? That's relying on the box answering new connection requests from random hosts -- something that isn't all that likely on a network set up for this sort of thing. You're confusing a misconfigured and/or cracked system running a proxy with a system designed to do precisely this.
--
dmiessler.com - grep understanding knowledge | |
| jakoe420
join:2003-09-05
Knoxville, TN
clubs:
| This is from their website:
6.2. So I'm totally anonymous if I use Tor?
No.
First of all, your application might leak personal information at the protocol level; or it might be vulnerable to issues like javascript; or you might type revealing information into a form.
Second, there are still some technical attacks that work against Tor. One of the strongest attacks can be done by an attacker who can observe large portions of the Internet: he has a list of Tor servers, records traffic timing at each of them, and can use to statistics to correlate entering streams with exiting streams.
Third, the more active you are, the more likely you are to stand out from the rest of the crowd. Sending or receiving a whole lot of bytes in a short period of time, or using Tor for long-standing connections like IRC, probably endangers your anonymity more than using it for short brief transactions. [#]
So, I don't understand attack option #2. Can somebody explain that in layman's terms? | |
| jp10558
Premium
join:2005-06-24
Willseyville, NY
| Tor isn't designed for security - it's designed for anonyminity. You should still use SSL for secured connections to the endpoint webpage.
Otherwise, this is no less secure than a direct connection to the net, however it does make it more difficult to trace you.
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Anonymnity: Introduction To The Tor Network said by EGeezer :Once a rogue node is in place, it would seem the node operator would be free to trap and decrypt traffic at their leisure. Again, this is only an issue if the original traffic was unencrypted to begin with, which isn't a good idea (unless you don't care if someone reads it).
In short, if you want your data to be private, encrypt it. The Tor network just bounces whatever you send through its servers with additional encryption.
That being said, if a rougue Tor server was set up, what could it see? Well, if the user encrypted their data they'd simply see encrypted data from another Tor server. I see the benefits of this system being legion compared to any downsides -- especially since it's free.
--
dmiessler.com - grep understanding knowledge | |
| | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network said by Daniel :said by EGeezer :Once a rogue node is in place, it would seem the node operator would be free to trap and decrypt traffic at their leisure. Again, this is only an issue if the original traffic was unencrypted to begin with, which isn't a good idea (unless you don't care if someone reads it). In short, if you want your data to be private, encrypt it. The Tor network just bounces whatever you send through its servers with additional encryption. That being said, if a rougue Tor server was set up, what could it see? Well, if the user encrypted their data they'd simply see encrypted data from another Tor server. I see the benefits of this system being legion compared to any downsides -- especially since it's free. Your wrong their daniel. Trafic can be encrypted or decrypted it doesnt matter. My poc page accepted and sent data fully encrypted to hotmail and another test target (the one i was involved with finding a way to protect it). The https was fully encrypted i could not see the data that was sent https in a unencrypted form. But the email submit add on sent the data fully unencrypted to me. It also with hotmail logged them in just fine with the secound target it gave a error 404 not found. Url was correct nothing about proxy server etc just a failed login. To the user it would seem like a oh damn the proxy im useing is slowing down my connection and would simply at this point turn off the proxy. Course by that time the damage is done.
Proxy as privacy or to get to a site thats slow for you fine have at it the privacy it gives is likly not realy even there the re routing of your trafic to a hopefully faster route still applies and is usefull. I do use proxies alot for the secound reason to speed up my connection to some sites. Some of these sites need me to login and i have to change my pass word every time while off the proxy when im done. But its worth it. No proxy and i get .5 to 1KB dl on the flash heavy page with proxy i get 80+KB.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Re: Anonymnity: Introduction To The Tor Network said by novaflare :Your wrong there, Daniel. Trafic can be encrypted or decrypted it doesnt matter. Wrong about what? Are you saying that if SSL encrypted traffic moves through a compromised Tor server it can be broken? I don't think so. My point is simple, if your data's important -- encrypt it. No one here is saying we should depend on Tor for data confidentiality.
--
dmiessler.com - grep understanding knowledge | |
| | | | 
Gelroos
Mad Mage
Premium
join:2003-05-23
Wilmington, DE
| A lot of this reminds me off trying to explain anonymous email using Mixmaster relays and eventual posting to newsgroups for retrieval. People just can't seem to realize that compromised nodes may be able to intercept and READ the data, but if the data is in a form that is UNREADABLE, then the data is useless to them. I can chain proxies and run a SSL tunnel thru several proxies, it may be slow, but the data will transverse the entire chain, ENCRYPTED, and then to the eventual target. If any of the proxy's try to modify the communication the worst that will happen is an error/break in communications. They would have to break the SSL tunnel encryption to READ the data I am sending/receiving. If the website I am communicating with is using SSL, and it is setup right, and my client supports it, then barring decrypting the SSL tunnel, I am pretty secure. Secure enough for what I am using SSL for, if I need more encryption, I use it.
--
The tree of liberty must be refreshed from time to time with the blood of patriots & tyrants. It is it's natural manure.The "Tree of Liberty" letter From Thomas Jefferson to William Smith | |
| | | | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network said by Gelroos :A lot of this reminds me off trying to explain anonymous email using Mixmaster relays and eventual posting to newsgroups for retrieval. People just can't seem to realize that compromised nodes may be able to intercept and READ the data, but if the data is in a form that is UNREADABLE, then the data is useless to them. I can chain proxies and run a SSL tunnel thru several proxies, it may be slow, but the data will transverse the entire chain, ENCRYPTED, and then to the eventual target. If any of the proxy's try to modify the communication the worst that will happen is an error/break in communications. They would have to break the SSL tunnel encryption to READ the data I am sending/receiving. If the website I am communicating with is using SSL, and it is setup right, and my client supports it, then barring decrypting the SSL tunnel, I am pretty secure. Secure enough for what I am using SSL for, if I need more encryption, I use it. And if the first hop in that chain happens to be compramised then what? Dont say it cant or wont happen. I know it can and given time will.
I mean realy how likly is it that game x with 3500 customers who can not buy it in a store localy and need to pay to download would get their information stolen all useing the same and only proxy that was a proxy set up to steel said info?
Not very damn likly highly unlikly infact yet it did happen. Once we managed to find away to deny proxies from connecting to the server for shoping we had those effected users take a survey of those 12 to 15 users 6 found the proxy on a proxy list online the rest were refered via private message on the games forum by one of 3 people. Half the cistomers effected by the theft found it useing google and other engines.
Maybe tor is th greatest thing sence sliced bread and maybe it will never be compramised in such a way as to ever effect any one. But i ask you why take a chance. Im not saying dont use tor but simply saying dont use it for any secure transations online dont ever log in to any thing with it unless your willing to turn it off change your log in info when leaving a secure site. The risk is to great. Yes most banks have mesures in place to keep you from being responsable for bogus charges but take it from some one who has helped people with things like this its a big hassle in alot of cases.
Proxies for rerouteing your connection fine for protecting you when posting on news groups great thats good to but when going to sites requiring log in its a huge mistake you could end up with a big suprise one day.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | | | | 
wormie
join:2000-11-19
Lowell, MA
| Re: Anonymnity: Introduction To The Tor Network Novaflare, I have some trouble following your writing style, but it looks to me like you're misunderstanding the purpose of Tor. If the final node (or anyone able to sniff its traffic) wants to listen to your unencrypted data pass through then of course they're able to do so. That's not a flaw in the design, it's just not the point of using Tor.
Tor is about anonymity, not encryption. Specifically, it prevents people from tracing things back to you via your IP address, that's all there is to it. The first node on the route knows your IP address, the last node does not. The last node doesn't even know the first node's IP address, so you can't just backtrack to find the source. It's not about encryption, it's about keeping your physical location a secret.
Sure, it's not wise to send unencrypted personal information through an unknown proxy server, but then again it's not wise to send unencrypted personal information through ANY server. If someone's doing that they've got bigger problems than a theoretically compromised last server. If I'm handing my driver's license to a stranger, they have easier ways of finding me than tracing my IP address.
Of course, a simple SSL connection will keep that "hijacked" final hop from seeing the slightest bit of useful information. Though if you think you can run a successful man-in-the-middle attack using the Tor network go for it, I'm sure the developers would love to know how it's done.
Tor works very well for what it's designed to do. I routinely use it for IRC, and when feeling paranoid I'll even use it for normal web browsing, which it does perfectly well. (Plus it's fun to see google come up in different languages all the time.)
If you require anonymity, or even just suffer from a bit of paranoia about your IP address showing up in everyone's logs, there's really no reason not to use Tor.
--
What Would Jim Jones Do? | |
| | | | jp10558
Premium
join:2005-06-24
Willseyville, NY
| Ok, but you seem to miss the point. You can be sniffed without using a proxy, as shown by a google phish you indicated. If you are worried, SSL or some end to end encryption and authentication MUST be used - otherwise it's no proxies fault, it can happen without a proxy at all.
Even if one endpoint in TOR is compromised, your circuts change periodically, so it won't get all your communications, it doesn't even get one whole session for a forum. IME, it switches endpoints every 2 minutes or so.
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| | | nobodyuknow
join:2005-06-07
| Re: Anonymnity: Introduction To The Tor Network I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. It's would be a tempting target I gather.
| |
| | | 
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| Re: Anonymnity: Introduction To The Tor Network said by nobodyuknow :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? LOL! 
--
Get hpHOSTS! Member ASAP
Downing St. memo: BUSH LIED, YOUR SON DIED.
REMEMBER 1776! NEVER FORGET! | |
| | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by nobodyuknow :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. It's would be a tempting target I gather. This is what im talking about. Tor is nothing more than proxy servers running on untrusted pcs. Now what you likly seen was a web site that is scanning for open proxies. Heres a fun one find a free anon proxy then go to the test and tools pages here and do a port scan. In fact use tor and see what it shows. Then tell me this thing is trust worthy. If i understand correctly what tor is in essence is proxies connecting to other proxies and routeing your connection through them. And these proxies are running on personal computers. These personal computers tell the tor server im online and accepting tor connections use me. Now theres a high probability that a large number of these people useing tor are downloading cracks warez and who knows what else. Not the mostt carefull bunch (see many highjack this logs for examples). So warez freak downloads a crack thats realy a trojan you connect to this trojaned pc as your first stop. You visit somestoresite.com while on this first hop enter your cc etc info. Trojan was used to to install a custom webpage for somestoresite.com that emails your information to hacker who used trojan to install cached page for somestoresite.com. Hacker now has your information. You just got torn up by tor.
Unlikly sure it is never going to happen? Wrong it will happen given enough time hackers will specifically target tor for exploits to get at that low hanging fruit they know will be there. It will happen period. Maybe not on any huge scale but it will happen none the less. Tor like many other anonomizers before it will go the way of the dodo.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | | bpm3k
join:2004-08-15
Simi Valley, CA
1 edit | Re: Anonymnity: Introduction To The Tor Network said by novaflare :Heres a fun one find a free anon proxy then go to the test and tools pages here and do a port scan. In fact use tor and see what it shows. Consider it done.
The open port is 22 and it is for "ssh remote login protocol." | |
| | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by novaflare :This is what im talking about. Tor is nothing more than proxy servers running on untrusted pcs. Now what you likly seen was a web site that is scanning for open proxies. Heres a fun one find a free anon proxy then go to the test and tools pages here and do a port scan. In fact use tor and see what it shows. Then tell me this thing is trust worthy. You seem to be obsessed with the concept that a machine with open ports is compromised.
said by novaflare :If i understand correctly what tor is in essence is proxies connecting to other proxies and routeing your connection through them. And these proxies are running on personal computers. These personal computers tell the tor server im online and accepting tor connections use me. Now theres a high probability that a large number of these people useing tor are downloading cracks warez and who knows what else. Not the mostt carefull bunch (see many highjack this logs for examples). So warez freak downloads a crack thats realy a trojan you connect to this trojaned pc as your first stop. And what exactly is going to happen when the encrypted traffic comes through that specific host for roughly 60 seconds? What are they supposed to do with that? Assuming there was an attacker on that host, they wouldn't be able to crack the Tor encryption or the encryption that the person should be using if the data was confidential. In short, you gain nothing but a view of some encrypted traffic that you can't break.
said by novaflare :You a visit somestoresite.com while on this first hop enter your cc etc info. Trojan was used to to install a custom webpage for somestoresite.com that emails your information to hacker who used trojan to install cached page for somestoresite.com. Hacker now has your information. You just got torn up by tor. Again, how is the host decrypting the traffic moving through it? And how many people do you know that enter credit card information into unencrypted websites -- especially people using Tor?
More importantly, consider that the list of Tor servers a given client will use is chosen at random when the client connects. Then consider that each connection is only maintained for like a minute.
Seriously, you should focus more on looking at protocols and making logic-based comments rather than spewing forth the first thing that comes to mind. Go check out »tor.eff.org/overview.html; read the whole thing and tell me if you still feel the same way.
Oh, by the way, also consider that Tor was designed by the EFF and DARPA, a.k.a. the Military. If you think your insights have uncovered some sort of weaknesses in their approach, I encourage you to let them know immediately. I'm sure they'd be willing to hire you on the spot given the fact that you were able to uncover in mere minutes problems with a network that took them years to develop.
Good day.
--
dmiessler.com - grep understanding knowledge | |
| | | | | | | | | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network said by Daniel :And what exactly is going to happen when the encrypted traffic comes through that specific host for roughly 60 seconds? What are they supposed to do with that? Assuming there was an attacker on that host, they wouldn't be able to crack the Tor encryption or the encryption that the person should be using if the data was confidential. In short, you gain nothing but a view of some encrypted traffic that you can't break. Thats just the thing daniel they dont need to unencrypt it at all. You get the cached page that is https that also sends a email with the info the user put in the fields for c name expiration date etc.
In the instance where i helped to put a top to it the page in question was https. When the user hit submit they got no waening at all. All they got that might alert some people was a warning about the cert.
From tors vey own faq as another poster mentioned its exactly as i thought it might be. Each pc useing tor is also a proxy for tor. And if they are infected with something then so are you essentialy. If they have a proxy that feeds a cached page thats been modified then you will see that page and not the real page. If that cached page is made to send emails of what you type it in will. These emails will not be encrypted and the person who receives them will have your information. As i said this is not just some idea of a potential threat this has happened once in my personal experiance (well on one site that effected 12 or 15 users) and at least twice that i know of. The other time i know of it was a banks web site that was targeted.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | | | | 
MattUK
Premium
join:2003-03-23
UK
| Re: Anonymnity: Introduction To The Tor Network said by novaflare :And if they are infected with something then so are you essentialy. I do not understand your logic here. If a Tor proxy is infected, so what? How exactly is it going to spread this through Tor to other systems? Or am I missing the point entirely?
My understanding is the same as Daniel and others in this thread. It's is about anonymity not encryption, firstly. Any up-standing website that requires personal info will use SSL, which I think you could agree is pretty safe? So how does the Tor system magically decrypt the SSL allowing a Tor proxy to see the info?
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk/blog | |
| | | | | | |
novaflare2
@brown.edu
| Re: Anonymnity: Introduction To The Tor Network Results from a port scan while behind tor useing dslreports port scan.
What does this mean? Well for spammers alot note port 25 open. I wont post the ip but i did test it and sure enough open mail relay. I sent my self a email to tet. Spammers will enjoy tor. They can use it to send out mega ammounts of spam and no need to even bother forging headers. Hell they dont even need to get some one to install a spam bot. All they need to do is run a nice email sver on their own computer with mailing lists fetures fire up good old tor and have a feild day.
Or they can run port scans from dsl reports or any number of other sites like grc and find lovly open mail relays.
TCP default : CLOSED We received a response packet that no service is available.
TCP 22 : OPEN The port is open.
6 - Read
TCP 25 : OPEN The port is open.
5 - Read
TCP 53 : OPEN The port is open.
8 - Read
TCP 110 : OPEN The port is open.
5 - Read
TCP 143 : OPEN The port is open.
1 - Read
TCP 873 : OPEN The port is open.
1 - Read
TCP 993 : OPEN The port is open.
1 - Read
TCP 995 : OPEN The port is open.
1 - Read
UDP default : CLOSED We received a response packet that no service is available.
UDP 53 : OPEN The port is open.
7 - Read
UDP 123 : OPEN The port is open.
5 - Read | |
| | | | | | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by MattUK :said by novaflare :And if they are infected with something then so are you essentialy. I do not understand your logic here. If a Tor proxy is infected, so what? How exactly is it going to spread this through Tor to other systems? Or am I missing the point entirely? My understanding is the same as Daniel and others in this thread. It's is about anonymity not encryption, firstly. Any up-standing website that requires personal info will use SSL, which I think you could agree is pretty safe? So how does the Tor system magically decrypt the SSL allowing a Tor proxy to see the info? On ssl its only safe as long as your getting a fresh page. Ive given the example a dozen times. All some one needs tdo is cache the page on a local proxy say squid for example. They then modify the cached page to also email them the info you enter. The site i used as a example used ssl and the information was still stolen. On my test of going through the proxy that was used i was able to log right in with out any troubles at all. The ssl cert showed as valid for the domain etc. as seen from my previous post multiple ports were open on a single tested ip. If i tested more im sure id find squid proxies running on alot of tor ips. Then gain as in my test above open mail relays are also found. In 3 scans of 3 ips i found 2 open mail relays. Also found port 139 open on the one. This is frigtening to me. Do you relize how much damage even i could do with port 139? I could infect them with basically any thing i wanted with out them doing any thing more than rebooting their computer. I would not be afraid to bet that this paticualr computer has default administrative shares and that means i can drop files any where i want including start up folder. Worse yet their logs would likly show that it was a local loop back connection thanks to tor.
There will never be a secure proxy network. Tor is as insecure as those open proxies found on google. Simply put a infection there may as well be a keylogger on your own system. But heres the real trouble. Do to he ability to cache pages and display them to the user a hacker doesnt need to sift through logs to find what he wants he just needs to check his email for log in information cc information etc. SSL HTTPS etc does not matter when the page you put your info in to is a cached page runnign on a proxy server your on. That cached page can be modified with ease i did it my self to test my idea out when those 12 or so people got their cc numbers stolen. (NO i will not demonstrate it or explain how its done.)
The server i set up was ssl enabled and was https. In the end none of that mattered. I used squid to provide the cached page that i had modded to send me the email with the hotmail and other test page information.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Re: Anonymnity: Introduction To The Tor Network said by novaflare :On ssl its only safe as long as your getting a fresh page. Ive given the example a dozen times. All some one needs tdo is cache the page on a local proxy say squid for example. So let me get this straight, Novaflare -- you're telling me you're able to:
1. Put up a malicious Tor server and have it used by the system.
2. Sit and watch the encrypted traffic moving through it, ignoring the Tor encryption.
3. Put up a fake website for the bank being requested and somehow redirect the user to your daemon.
4. Keep the user from getting a certificate warning after you intercept them.
5. Capture all their credentials from what they thought was a secure site.
Is that what you'd have us believe?
--
dmiessler.com - grep understanding knowledge | |
| | | | | | | | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network said by Daniel :said by novaflare :On ssl its only safe as long as your getting a fresh page. Ive given the example a dozen times. All some one needs tdo is cache the page on a local proxy say squid for example. So let me get this straight, Novaflare -- you're telling me you're able to: 1. Put up a malicious Tor server and have it used by the system. 2. Sit and watch the encrypted traffic moving through it, ignoring the Tor encryption. 3. Put up a fake website for the bank being requested and somehow redirect the user to your daemon. 4. Keep the user from getting a certificate warning after you intercept them. 5. Capture all their credentials from what they thought was a secure site. Is that what you'd have us believe? Why bother captureing data at all when all you need to do is have the bogus web site email you it unencrypted. Depending on the site in question there will be no warnign because the cert is valid some sites will warn the cert is invalid and some users might even pay attention to it. But for every user who does there will be at least 1 other who doesnt.
No need to redirect set up the malicious proxy server that tor will use example squid with the non expiring cached page and sit in wait for your tor server to be used.
Sure its unlikly on a user by use basis probably one in a few 1000 chance that it will put them on to your node daemon etc. And even less a chance they will e going to a site whos log in page you modded and cached. But fact is given enough time you will get hits to that page and you will get their information. If i was going to do it id target bank of america first merit bank one and star bank. Id also target paypal and ebay. Id likly also make a bogus msn and hotmail log in page to steel email addresses. I know from seeing people do it that alot of people will give other people ssi numbers cc numbers etc through highly unsecure email.
If i targeted all of those and had success at getting the log in pages to work as intended id probably get 10 to 15k in the first year easly. Tor runs is nothign more than a socks proxy that can connect to another proxy such as squid privoxy etc. My guess is it wouldnt be to hard to forge the trafic for tor and trick the network in to thinking your plain old squid is a tor server. Ither way its not a stretch for any of this to happen.
This argument is no diffrent than the one i had with a friend of mine who swore his heavly moddified phpbb was secure and was not vunrable. Right now hes on day 3 of repairing the damage to his site from where some one hacked said phpbb.
Ive cleaned up messes caused by proxies ive helped to secure a site or 3 against such tactics. The secureing of a site is pretty simple. Just deny any computer behind a open proxy.
If yoru behind a proxy one day and have a site tell you to "turn off your proxy then hit F5 to refresh after to view this web site" That is one of the sites i helped to secure. It scans some 35 proxy ports when you connect to the site.
Fact is any time your useing a proxy to visit a secure site your taking a chance that your tossing every single bit of security on that site in the trash can. Regardless of the proxy or proxy network you use.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Anonymnity: Introduction To The Tor Network said by novaflare :Why bother captureing data at all when all you need to do is have the bogus web site email you it unencrypted. I think I'm done here.
--
dmiessler.com - grep understanding knowledge | |
| | | | | | | | | | 
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| Re: Anonymnity: Introduction To The Tor Network said by Daniel :I think I'm done here. Now you see =)
Just to stir the fire. Just imagine the fun once they realize you can do this with every router along the way too.. Never mind tor.. THINK OF THE ROUTERS MAN!!
OMGHAXORZ!!one!11
=)
--
"I can't stand the package managers that come with Linux. RPM, Portage, and the rest don't even let you build from source. The ports collection was all I needed." - Some FreeBSD jackass | |
| | | | | | | | | | | | | | | | | | | | | | | B
Premium,MVM
join:2000-10-28
| Re: Anonymnity: Introduction To The Tor Network said by Daniel :said by nobodyuknow :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. I am at a loss for words. Guess what? That's in the FAQ!
3.12. Google tells me I have spyware installed.
This is a known and intermittent problem; it does not mean that Google considers Tor to be spyware. Instead, Google tries to detect certain kinds of spyware or viruses that send distinctive queries to Google Search. It then notes the IP addresses from which those queries are received. Finally, Google tries to warn the users of those IP addresses that it received queries indicating an infection.
When you use Tor, you are sending queries through exit nodes that are also shared by thousands of other users. If some of those users are infected with software that Google detects, Google may mistakenly conclude that the exit nodes themselves are infected (because the requests appeared to originate from the exit nodes) and, for a limited period of time, will try (incorrectly) to warn all Google users who share an exit node with an infected machine that they are themselves infected.
You may also get this sort of message when lots of Tor users are querying Google in a short period of time. Google interprets the high volume of traffic as somebody trying to "crawl" their website, so it slows down traffic from that IP address for a short time.
To our knowledge, Google is not doing anything intentionally specifically to deter or block Tor use. The error message about an infected machine should clear up again after a short time.
If we think of a measure that would prevent users from seeing this sort of spurious warning message, we will certainly suggest it to Google and to other web site developers. There may also be technical workarounds for Tor end-users affected by this problem; if you find a useful workaround and write up a description of it, please let us know. [#] »wiki.noreply.org/noreply/TheOnio···r/TorFAQ
-- B
--
In a realm outside causality and function | |
| ghost16825
Use security metrics
Premium
join:2003-08-26 | LOL. Quite amusing, this thread. | |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| I give up use it and when some one does get their personal information and cc numbers as a direct result of the mighty tor ill be here to say i told you so. This thing is goign to lead to just that. Like all the other fear mongering anomnominity proxy services before it it will be nothign but trouble. Even if it gets to a point where it cant be cracked or used to steel identifies cc numbers etc they will cave to presure from isps and other net service providers and turn over logs of who was where and what time.
Anon and the internet go to gather like a hamburger and jello both are great on their own but they just dont mix well.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| jp10558
Premium
join:2005-06-24
Willseyville, NY
| Yeah, it's rather obvious that novaflare either has a woefully inadequate understanding of how TOR, SSL, Squid, DNS and multiple other web technologies function, or is a troll.
The main point is, if you are ignoring SSL cert warnings on "secure" pages, then you're screwed whether you use TOR or not. This whole thing requires a user ignore and click through a scary "this site is not secure" dialog that even IE pops-up, and then enters personal information.
To reiterate, the above "flaw" is in no way related to or assisted by TOR, it can happen via any number of phishing techniques such as e-mails, DNS poisioning, IM bombs, browser hijacks, Host's file compromise etc...
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| |
See 11 replies to this post | |
| | NeOmega
join:2004-11-18
| Re: Anonymnity: Introduction To The Tor Network In response to Sivran:
(how do you get respond with quotes? Or is that premium member only?)
It will slow down your browsing always, technically.
It increases the amount of data flow to 512 bits/bytes or something like that, so no-one can see how much activity is being done. That's as far as I understood it in the FAQ's.
Also, you are adding extra hops, and usually exiting out of somewhere far away from your home.
But you really are not supposed to use Tor all the time, it will make you more traceable. You should use it on an as needed basis, IMHO.
anyways... here is the technical FAQ »wiki.noreply.org/noreply/TheOnio···r/TorFAQ
and I think it answers a lot of issues being raised here. | |
| inTulsa
Premium
join:2002-02-24
| Tor anonymizes by sending data through servers that your ISP wouldn't have. The potential problem is that you have to trust that those servers are not malicious in any way. I trust my ISP routing more than I can trust unknown / unpredictable servers.
I have my own HTTP proxy and other forms of proxies like SOCKS. It might amaze some people what can be done with content as it traverses connections. A proxy can modify (or log) any piece of content, or it can replace whole domains with "something else" without the user having any clue. My proxy spoofs Yahoo mail to look like a sub-path of my own domain; Gmail and hotmail appear to be other paths. Going the other way, spoofing hotmail with any other site or path, is really easy. It can also replace IP (no domain name) connection requests with different destinations, all done transparently.
Remember too that even Proxo can manipulate SSL content by playing MiTM. The only trick in doing that is the user importing a trusted certificate to avoid some browser warnings.
I believe that any benefit gained from becoming "anonymous" is not worth the potential loss of security, privacy, and in most cases performance. But some people have nothing really worth protecting, or the need to be occasionally anonymous is too great, so for them Tor and other anonymizer methods are a means to that end. I certainly wouldn't access email or key in a CC# through one. | |
| | NeOmega
join:2004-11-18
| Re: Anonymnity: Introduction To The Tor Network well I certainly would not trade stocks online, or use passwords, or any of the other stuff like that, through Tor.
But it is a little more convenient thaan any other method I've seen, for say, when someone stole your girlfriend's photography, posted it on a website, claiming it was his own, trademarked it, and when you call him on it, bans your IP from his website. | |
| | | jp10558
Premium
join:2005-06-24
Willseyville, NY
| Re: Anonymnity: Introduction To The Tor Network said by Wildcatboy :I think what novaflare has been trying to say and hasn't been successful in conveying it, is that each Tor server belongs to a totally unknown and most likely untrusted user. The fact that the communication is encrypted won't be enough to stop compromise of your data. I too haven't had a chance to read the complete overview of Tor but it would be great if someone could clarify this for me: Let's say I build a Tor server and I also run a proxy server on it that directs all requests for paypal.com, eBay.com, major banks, etc... to my own version of those web pages residing on my server. What in Tor system prevents me from redirecting you to may page? You as a user try to go to paypal, you see my version of it which by the way is quite convincing and you enter your username and password. You can't login and you say to yourself "Oops, Paypal must be down." and move on. I have your password and the encryption didn't do anything. So can someone tell me how Tor prevents me from doing that and what safeguards are in place? This is a question that novaflare has been asking and I haven't seen an answer for it yet or perhaps I missed it. Well, with paypal - it is SSL before you ever enter your password. So, paypal prevents it with or without tor. eBay is the same. So, unless you somehow get a verisign SSL cert claiming you are eBay or Paypal, I don't get the problem...
Every financial site I've seen is like this - and if you are in the habit of paying for things without it being secure, TOR isn't going to help - but I doubt it will hurt either.
So, yes, I suppose you could spoof yahoo e-mail, but who's using TOR to access their e-mail anyway? I mean, if you have to authenticate yourself to the end site, I don't see how it was worth all the anonymizing steps...
And if you mean to say you're spoofing google search, you're not getting private info that way...
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| | |
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| Re: Anonymnity: Introduction To The Tor Network said by jp10558 :said by Wildcatboy :I think what novaflare has been trying to say and hasn't been successful in conveying it, is that each Tor server belongs to a totally unknown and most likely untrusted user. The fact that the communication is encrypted won't be enough to stop compromise of your data. I too haven't had a chance to read the complete overview of Tor but it would be great if someone could clarify this for me: Let's say I build a Tor server and I also run a proxy server on it that directs all requests for paypal.com, eBay.com, major banks, etc... to my own version of those web pages residing on my server. What in Tor system prevents me from redirecting you to may page? You as a user try to go to paypal, you see my version of it which by the way is quite convincing and you enter your username and password. You can't login and you say to yourself "Oops, Paypal must be down." and move on. I have your password and the encryption didn't do anything. So can someone tell me how Tor prevents me from doing that and what safeguards are in place? This is a question that novaflare has been asking and I haven't seen an answer for it yet or perhaps I missed it. Well, with paypal - it is SSL before you ever enter your password. So, paypal prevents it with or without tor. eBay is the same. So, unless you somehow get a verisign SSL cert claiming you are eBay or Paypal, I don't get the problem... Every financial site I've seen is like this - and if you are in the habit of paying for things without it being secure, TOR isn't going to help - but I doubt it will hurt either. So, yes, I suppose you could spoof yahoo e-mail, but who's using TOR to access their e-mail anyway? I mean, if you have to authenticate yourself to the end site, I don't see how it was worth all the anonymizing steps... And if you mean to say you're spoofing google search, you're not getting private info that way... when your entering info in to a moded cached page it does not matter how secure the real site is. SSL never plays a part. Hell why even bother presenting the user with a cert fake or real. Most will asume this is normal and just enter and submit away. Url will show correct anti fishing apps and meathods will be no good etc.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com | |
| | | | jp10558
Premium
join:2005-06-24
Willseyville, NY
| Re: Anonymnity: Introduction To The Tor Network said by novaflare :said by jp10558 :said by Wildcatboy :I think what novaflare has been trying to say and hasn't been successful in conveying it, is that each Tor server belongs to a totally unknown and most likely untrusted user. The fact that the communication is encrypted won't be enough to stop compromise of your data. I too haven't had a chance to read the complete overview of Tor but it would be great if someone could clarify this for me: Let's say I build a Tor server and I also run a proxy server on it that directs all requests for paypal.com, eBay.com, major banks, etc... to my own version of those web pages residing on my server. What in Tor system prevents me from redirecting you to may page? You as a user try to go to paypal, you see my version of it which by the way is quite convincing and you enter your username and password. You can't login and you say to yourself "Oops, Paypal must be down." and move on. I have your password and the encryption didn't do anything. So can someone tell me how Tor prevents me from doing that and what safeguards are in place? This is a question that novaflare has been asking and I haven't seen an answer for it yet or perhaps I missed it. Well, with paypal - it is SSL before you ever enter your password. So, paypal prevents it with or without tor. eBay is the same. So, unless you somehow get a verisign SSL cert claiming you are eBay or Paypal, I don't get the problem... Every financial site I've seen is like this - and if you are in the habit of paying for things without it being secure, TOR isn't going to help - but I doubt it will hurt either. So, yes, I suppose you could spoof yahoo e-mail, but who's using TOR to access their e-mail anyway? I mean, if you have to authenticate yourself to the end site, I don't see how it was worth all the anonymizing steps... And if you mean to say you're spoofing google search, you're not getting private info that way... when your entering info in to a moded cached page it does not matter how secure the real site is. SSL never plays a part. Hell why even bother presenting the user with a cert fake or real. Most will asume this is normal and just enter and submit away. Url will show correct anti fishing apps and meathods will be no good etc. Ok, I don't know about IE, but in Opera, there's this big yellow bar that shows up in the address bar when the site is secure. It's not there if the site isn't SSL authenticated. If you have a spoof that pulls up that bar without a SSL Cert, I want to see it, so I can report the vulnerability to Opera.
At some point, you can't protect ignorant people. If these are the people falling for the nigerian scams etc... it doesn't matter if they have TOR or not. As I said before, there are numerous equivelent methods to phish them, and they are at equal risk without TOR.
Moreso, I'm guessing the people who even know about TOR, much less can manage to set it up, aren't technical neophytes, nor the best targets for phishing. IE, the people who don't use IE, and who know to look for SSL auth before inputting their CC#.
I'd also guess that these people would realise there is little point of using TOR to then tell the site who you are, where you live, and your CC# to order something on a legit site. There's little point using TOR to check yahoo e-mail, as I said before, if you are going to ID yourself to the end site, don't wast the time or overhead with TOR. It's pointless.
OTOH, if you aren't going to those sites for the reasons above, then the possible spoof sites aren't going to garner much information - One, you'll be seeing/spoofing the equivelent of google search, two, you'll only get 1-2 minutes of data before TOR yanks them to a different endpoint, so not enough to do much data anylsis on searches or whatever...
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 | |
| | |
See 18 replies to this post | |
lawrence171
Evilly Yours - Evilness
join:2001-12-24
Canada | So, this is just bouncing connections around... How does this prevent people from tracing the source of the packets/data?
--
What I used to be I no longer am... God, why can't you freeze time for my sake? | |
| | | |
|
Anonymnity: Introduction To The Tor Network
·
·
·
