jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to Daniel
Re: Anonymnity: Introduction To The Tor Network
Ok, but you seem to miss the point. You can be sniffed without using a proxy, as shown by a google phish you indicated. If you are worried, SSL or some end to end encryption and authentication MUST be used - otherwise it's no proxies fault, it can happen without a proxy at all.
Even if one endpoint in TOR is compromised, your circuts change periodically, so it won't get all your communications, it doesn't even get one whole session for a forum. IME, it switches endpoints every 2 minutes or so.
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
wormie
join:2000-11-19
Lowell, MA
| reply to novaflare
Novaflare, I have some trouble following your writing style, but it looks to me like you're misunderstanding the purpose of Tor. If the final node (or anyone able to sniff its traffic) wants to listen to your unencrypted data pass through then of course they're able to do so. That's not a flaw in the design, it's just not the point of using Tor.
Tor is about anonymity, not encryption. Specifically, it prevents people from tracing things back to you via your IP address, that's all there is to it. The first node on the route knows your IP address, the last node does not. The last node doesn't even know the first node's IP address, so you can't just backtrack to find the source. It's not about encryption, it's about keeping your physical location a secret.
Sure, it's not wise to send unencrypted personal information through an unknown proxy server, but then again it's not wise to send unencrypted personal information through ANY server. If someone's doing that they've got bigger problems than a theoretically compromised last server. If I'm handing my driver's license to a stranger, they have easier ways of finding me than tracing my IP address.
Of course, a simple SSL connection will keep that "hijacked" final hop from seeing the slightest bit of useful information. Though if you think you can run a successful man-in-the-middle attack using the Tor network go for it, I'm sure the developers would love to know how it's done.
Tor works very well for what it's designed to do. I routinely use it for IRC, and when feeling paranoid I'll even use it for normal web browsing, which it does perfectly well. (Plus it's fun to see google come up in different languages all the time.)
If you require anonymity, or even just suffer from a bit of paranoia about your IP address showing up in everyone's logs, there's really no reason not to use Tor.
--
What Would Jim Jones Do? |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to Daniel
jp10558 and wormie have nicely articulated the problems with your arguments, novaflare. You simply seem to be missing the point of the project. If we've got you all wrong, do show us where we've gone astray; I'd be happy to explore your concerns, but we have to be on the same sheet of music first.
--
dmiessler.com - grep understanding knowledge |
|
nobodyuknow
join:2005-06-07
| I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. It's would be a tempting target I gather.
|
|
hpguru
Curb Your Dogma
Premium
join:2002-04-12
| said by nobodyuknow  :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? LOL! 
--
Get hpHOSTS! Member ASAP
Downing St. memo: BUSH LIED, YOUR SON DIED.
REMEMBER 1776! NEVER FORGET! |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to nobodyuknow
said by nobodyuknow :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. It's would be a tempting target I gather. This is what im talking about. Tor is nothing more than proxy servers running on untrusted pcs. Now what you likly seen was a web site that is scanning for open proxies. Heres a fun one find a free anon proxy then go to the test and tools pages here and do a port scan. In fact use tor and see what it shows. Then tell me this thing is trust worthy. If i understand correctly what tor is in essence is proxies connecting to other proxies and routeing your connection through them. And these proxies are running on personal computers. These personal computers tell the tor server im online and accepting tor connections use me. Now theres a high probability that a large number of these people useing tor are downloading cracks warez and who knows what else. Not the mostt carefull bunch (see many highjack this logs for examples). So warez freak downloads a crack thats realy a trojan you connect to this trojaned pc as your first stop. You visit somestoresite.com while on this first hop enter your cc etc info. Trojan was used to to install a custom webpage for somestoresite.com that emails your information to hacker who used trojan to install cached page for somestoresite.com. Hacker now has your information. You just got torn up by tor.
Unlikly sure it is never going to happen? Wrong it will happen given enough time hackers will specifically target tor for exploits to get at that low hanging fruit they know will be there. It will happen period. Maybe not on any huge scale but it will happen none the less. Tor like many other anonomizers before it will go the way of the dodo.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to nobodyuknow
said by nobodyuknow :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. I am at a loss for words.
--
dmiessler.com - grep understanding knowledge |
|
bpm3k
join:2004-08-15
Simi Valley, CA
1 edit | reply to novaflare
said by novaflare :Heres a fun one find a free anon proxy then go to the test and tools pages here and do a port scan. In fact use tor and see what it shows. Consider it done.
The open port is 22 and it is for "ssh remote login protocol." |
|
ghost16825
Use security metrics
Premium
join:2003-08-26 | reply to Daniel
LOL. Quite amusing, this thread. |
|
B
Premium,MVM
join:2000-10-28
| reply to Daniel
said by Daniel :said by nobodyuknow :I dont think Novaflare is entirely wrong is having some doubts about TOR. I was using tor and I went to a Google search page and it said my PC was infected and ask me to download some software to scan the infection? When I disconnect from Tor and went to Google I didn't get the message. So, maybe machines on the TOR network can be infected. I am at a loss for words. Guess what? That's in the FAQ!
3.12. Google tells me I have spyware installed.
This is a known and intermittent problem; it does not mean that Google considers Tor to be spyware. Instead, Google tries to detect certain kinds of spyware or viruses that send distinctive queries to Google Search. It then notes the IP addresses from which those queries are received. Finally, Google tries to warn the users of those IP addresses that it received queries indicating an infection.
When you use Tor, you are sending queries through exit nodes that are also shared by thousands of other users. If some of those users are infected with software that Google detects, Google may mistakenly conclude that the exit nodes themselves are infected (because the requests appeared to originate from the exit nodes) and, for a limited period of time, will try (incorrectly) to warn all Google users who share an exit node with an infected machine that they are themselves infected.
You may also get this sort of message when lots of Tor users are querying Google in a short period of time. Google interprets the high volume of traffic as somebody trying to "crawl" their website, so it slows down traffic from that IP address for a short time.
To our knowledge, Google is not doing anything intentionally specifically to deter or block Tor use. The error message about an infected machine should clear up again after a short time.
If we think of a measure that would prevent users from seeing this sort of spurious warning message, we will certainly suggest it to Google and to other web site developers. There may also be technical workarounds for Tor end-users affected by this problem; if you find a useful workaround and write up a description of it, please let us know. [#] »wiki.noreply.org/noreply/TheOnio···r/TorFAQ
-- B
--
In a realm outside causality and function |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to novaflare
said by novaflare :This is what im talking about. Tor is nothing more than proxy servers running on untrusted pcs. Now what you likly seen was a web site that is scanning for open proxies. Heres a fun one find a free anon proxy then go to the test and tools pages here and do a port scan. In fact use tor and see what it shows. Then tell me this thing is trust worthy. You seem to be obsessed with the concept that a machine with open ports is compromised.
said by novaflare :If i understand correctly what tor is in essence is proxies connecting to other proxies and routeing your connection through them. And these proxies are running on personal computers. These personal computers tell the tor server im online and accepting tor connections use me. Now theres a high probability that a large number of these people useing tor are downloading cracks warez and who knows what else. Not the mostt carefull bunch (see many highjack this logs for examples). So warez freak downloads a crack thats realy a trojan you connect to this trojaned pc as your first stop. And what exactly is going to happen when the encrypted traffic comes through that specific host for roughly 60 seconds? What are they supposed to do with that? Assuming there was an attacker on that host, they wouldn't be able to crack the Tor encryption or the encryption that the person should be using if the data was confidential. In short, you gain nothing but a view of some encrypted traffic that you can't break.
said by novaflare :You a visit somestoresite.com while on this first hop enter your cc etc info. Trojan was used to to install a custom webpage for somestoresite.com that emails your information to hacker who used trojan to install cached page for somestoresite.com. Hacker now has your information. You just got torn up by tor. Again, how is the host decrypting the traffic moving through it? And how many people do you know that enter credit card information into unencrypted websites -- especially people using Tor?
More importantly, consider that the list of Tor servers a given client will use is chosen at random when the client connects. Then consider that each connection is only maintained for like a minute.
Seriously, you should focus more on looking at protocols and making logic-based comments rather than spewing forth the first thing that comes to mind. Go check out »tor.eff.org/overview.html; read the whole thing and tell me if you still feel the same way.
Oh, by the way, also consider that Tor was designed by the EFF and DARPA, a.k.a. the Military. If you think your insights have uncovered some sort of weaknesses in their approach, I encourage you to let them know immediately. I'm sure they'd be willing to hire you on the spot given the fact that you were able to uncover in mere minutes problems with a network that took them years to develop.
Good day.
--
dmiessler.com - grep understanding knowledge |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Daniel
Re: Anonymnity: Introduction To The Tor Network
said by Daniel :And what exactly is going to happen when the encrypted traffic comes through that specific host for roughly 60 seconds? What are they supposed to do with that? Assuming there was an attacker on that host, they wouldn't be able to crack the Tor encryption or the encryption that the person should be using if the data was confidential. In short, you gain nothing but a view of some encrypted traffic that you can't break. Thats just the thing daniel they dont need to unencrypt it at all. You get the cached page that is https that also sends a email with the info the user put in the fields for c name expiration date etc.
In the instance where i helped to put a top to it the page in question was https. When the user hit submit they got no waening at all. All they got that might alert some people was a warning about the cert.
From tors vey own faq as another poster mentioned its exactly as i thought it might be. Each pc useing tor is also a proxy for tor. And if they are infected with something then so are you essentialy. If they have a proxy that feeds a cached page thats been modified then you will see that page and not the real page. If that cached page is made to send emails of what you type it in will. These emails will not be encrypted and the person who receives them will have your information. As i said this is not just some idea of a potential threat this has happened once in my personal experiance (well on one site that effected 12 or 15 users) and at least twice that i know of. The other time i know of it was a banks web site that was targeted.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
MattUK
Premium
join:2003-03-23
UK
| said by novaflare :And if they are infected with something then so are you essentialy. I do not understand your logic here. If a Tor proxy is infected, so what? How exactly is it going to spread this through Tor to other systems? Or am I missing the point entirely?
My understanding is the same as Daniel and others in this thread. It's is about anonymity not encryption, firstly. Any up-standing website that requires personal info will use SSL, which I think you could agree is pretty safe? So how does the Tor system magically decrypt the SSL allowing a Tor proxy to see the info?
--
»forum.gladiator-antivirus.com /// Gladiator Security Forum Admin // »www.kleendesigns.co.uk/blog |
|
novaflare2
@brown.edu
| Results from a port scan while behind tor useing dslreports port scan.
What does this mean? Well for spammers alot note port 25 open. I wont post the ip but i did test it and sure enough open mail relay. I sent my self a email to tet. Spammers will enjoy tor. They can use it to send out mega ammounts of spam and no need to even bother forging headers. Hell they dont even need to get some one to install a spam bot. All they need to do is run a nice email sver on their own computer with mailing lists fetures fire up good old tor and have a feild day.
Or they can run port scans from dsl reports or any number of other sites like grc and find lovly open mail relays.
TCP default : CLOSED We received a response packet that no service is available.
TCP 22 : OPEN The port is open.
6 - Read
TCP 25 : OPEN The port is open.
5 - Read
TCP 53 : OPEN The port is open.
8 - Read
TCP 110 : OPEN The port is open.
5 - Read
TCP 143 : OPEN The port is open.
1 - Read
TCP 873 : OPEN The port is open.
1 - Read
TCP 993 : OPEN The port is open.
1 - Read
TCP 995 : OPEN The port is open.
1 - Read
UDP default : CLOSED We received a response packet that no service is available.
UDP 53 : OPEN The port is open.
7 - Read
UDP 123 : OPEN The port is open.
5 - Read |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to MattUK
said by MattUK :said by novaflare :And if they are infected with something then so are you essentialy. I do not understand your logic here. If a Tor proxy is infected, so what? How exactly is it going to spread this through Tor to other systems? Or am I missing the point entirely? My understanding is the same as Daniel and others in this thread. It's is about anonymity not encryption, firstly. Any up-standing website that requires personal info will use SSL, which I think you could agree is pretty safe? So how does the Tor system magically decrypt the SSL allowing a Tor proxy to see the info? On ssl its only safe as long as your getting a fresh page. Ive given the example a dozen times. All some one needs tdo is cache the page on a local proxy say squid for example. They then modify the cached page to also email them the info you enter. The site i used as a example used ssl and the information was still stolen. On my test of going through the proxy that was used i was able to log right in with out any troubles at all. The ssl cert showed as valid for the domain etc. as seen from my previous post multiple ports were open on a single tested ip. If i tested more im sure id find squid proxies running on alot of tor ips. Then gain as in my test above open mail relays are also found. In 3 scans of 3 ips i found 2 open mail relays. Also found port 139 open on the one. This is frigtening to me. Do you relize how much damage even i could do with port 139? I could infect them with basically any thing i wanted with out them doing any thing more than rebooting their computer. I would not be afraid to bet that this paticualr computer has default administrative shares and that means i can drop files any where i want including start up folder. Worse yet their logs would likly show that it was a local loop back connection thanks to tor.
There will never be a secure proxy network. Tor is as insecure as those open proxies found on google. Simply put a infection there may as well be a keylogger on your own system. But heres the real trouble. Do to he ability to cache pages and display them to the user a hacker doesnt need to sift through logs to find what he wants he just needs to check his email for log in information cc information etc. SSL HTTPS etc does not matter when the page you put your info in to is a cached page runnign on a proxy server your on. That cached page can be modified with ease i did it my self to test my idea out when those 12 or so people got their cc numbers stolen. (NO i will not demonstrate it or explain how its done.)
The server i set up was ssl enabled and was https. In the end none of that mattered. I used squid to provide the cached page that i had modded to send me the email with the hotmail and other test page information.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to novaflare
said by novaflare :From tors vey own faq as another poster mentioned its exactly as i thought it might be. Each pc useing tor is also a proxy for tor. Uh, no. There is a seperate installation for a Tor server. A Tor server is what people bounce through -- not Tor clients. Pardon the sarcasm, but the word "server" is key there, i.e. a daemon offering a service to others.
--
dmiessler.com - grep understanding knowledge |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to Daniel
I give up use it and when some one does get their personal information and cc numbers as a direct result of the mighty tor ill be here to say i told you so. This thing is goign to lead to just that. Like all the other fear mongering anomnominity proxy services before it it will be nothign but trouble. Even if it gets to a point where it cant be cracked or used to steel identifies cc numbers etc they will cave to presure from isps and other net service providers and turn over logs of who was where and what time.
Anon and the internet go to gather like a hamburger and jello both are great on their own but they just dont mix well.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | reply to novaflare
said by novaflare :On ssl its only safe as long as your getting a fresh page. Ive given the example a dozen times. All some one needs tdo is cache the page on a local proxy say squid for example. So let me get this straight, Novaflare -- you're telling me you're able to:
1. Put up a malicious Tor server and have it used by the system.
2. Sit and watch the encrypted traffic moving through it, ignoring the Tor encryption.
3. Put up a fake website for the bank being requested and somehow redirect the user to your daemon.
4. Keep the user from getting a certificate warning after you intercept them.
5. Capture all their credentials from what they thought was a secure site.
Is that what you'd have us believe?
--
dmiessler.com - grep understanding knowledge |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by Daniel :said by novaflare :On ssl its only safe as long as your getting a fresh page. Ive given the example a dozen times. All some one needs tdo is cache the page on a local proxy say squid for example. So let me get this straight, Novaflare -- you're telling me you're able to: 1. Put up a malicious Tor server and have it used by the system. 2. Sit and watch the encrypted traffic moving through it, ignoring the Tor encryption. 3. Put up a fake website for the bank being requested and somehow redirect the user to your daemon. 4. Keep the user from getting a certificate warning after you intercept them. 5. Capture all their credentials from what they thought was a secure site. Is that what you'd have us believe? Why bother captureing data at all when all you need to do is have the bogus web site email you it unencrypted. Depending on the site in question there will be no warnign because the cert is valid some sites will warn the cert is invalid and some users might even pay attention to it. But for every user who does there will be at least 1 other who doesnt.
No need to redirect set up the malicious proxy server that tor will use example squid with the non expiring cached page and sit in wait for your tor server to be used.
Sure its unlikly on a user by use basis probably one in a few 1000 chance that it will put them on to your node daemon etc. And even less a chance they will e going to a site whos log in page you modded and cached. But fact is given enough time you will get hits to that page and you will get their information. If i was going to do it id target bank of america first merit bank one and star bank. Id also target paypal and ebay. Id likly also make a bogus msn and hotmail log in page to steel email addresses. I know from seeing people do it that alot of people will give other people ssi numbers cc numbers etc through highly unsecure email.
If i targeted all of those and had success at getting the log in pages to work as intended id probably get 10 to 15k in the first year easly. Tor runs is nothign more than a socks proxy that can connect to another proxy such as squid privoxy etc. My guess is it wouldnt be to hard to forge the trafic for tor and trick the network in to thinking your plain old squid is a tor server. Ither way its not a stretch for any of this to happen.
This argument is no diffrent than the one i had with a friend of mine who swore his heavly moddified phpbb was secure and was not vunrable. Right now hes on day 3 of repairing the damage to his site from where some one hacked said phpbb.
Ive cleaned up messes caused by proxies ive helped to secure a site or 3 against such tactics. The secureing of a site is pretty simple. Just deny any computer behind a open proxy.
If yoru behind a proxy one day and have a site tell you to "turn off your proxy then hit F5 to refresh after to view this web site" That is one of the sites i helped to secure. It scans some 35 proxy ports when you connect to the site.
Fact is any time your useing a proxy to visit a secure site your taking a chance that your tossing every single bit of security on that site in the trash can. Regardless of the proxy or proxy network you use.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
