Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to novaflare
Re: Anonymnity: Introduction To The Tor Network
said by novaflare  :Why bother captureing data at all when all you need to do is have the bogus web site email you it unencrypted. I think I'm done here.
--
dmiessler.com - grep understanding knowledge |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| said by Daniel :I think I'm done here. Now you see =)
Just to stir the fire. Just imagine the fun once they realize you can do this with every router along the way too.. Never mind tor.. THINK OF THE ROUTERS MAN!!
OMGHAXORZ!!one!11
=)
--
"I can't stand the package managers that come with Linux. RPM, Portage, and the rest don't even let you build from source. The ports collection was all I needed." - Some FreeBSD jackass |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to Daniel
Yeah, it's rather obvious that novaflare either has a woefully inadequate understanding of how TOR, SSL, Squid, DNS and multiple other web technologies function, or is a troll.
The main point is, if you are ignoring SSL cert warnings on "secure" pages, then you're screwed whether you use TOR or not. This whole thing requires a user ignore and click through a scary "this site is not secure" dialog that even IE pops-up, and then enters personal information.
To reiterate, the above "flaw" is in no way related to or assisted by TOR, it can happen via any number of phishing techniques such as e-mails, DNS poisioning, IM bombs, browser hijacks, Host's file compromise etc...
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 |
|
B
Premium,MVM
join:2000-10-28
| I've managed to ignore most of this spat, and don't know Tor well, but...
isn't there still a substantial difference between using "The Internet" and using Tor for unencrypted traffic? Isn't each "onion router" that touches your unencrypted traffic able to view that traffic?
For example, if I log in to DSLR with Tor, can one or more of these onion routers (really PCs) see my userid and password?
Sure, my IP address may be sufficiently obscured, but there are all sorts of data that don't lend themselves to SSL but also aren't exactly postcard-global-read worthy.
»wiki.noreply.org/noreply/TheOnio···1bec7ac1 seems to touch on this concern?
This would seem to me to be a significant risk over and above that of normal web surfing, in which you merely have to trust the (real) routers handling your unencrypted traffic.
My apologies in advance, since this has likely been explained already. 
-- B
--
In a realm outside causality and function |
|
wormie
join:2000-11-19
Lowell, MA
| The final node you touch is indeed able to see your data provided it's unencrypted. If you don't trust this exit node (and you probably shouldn't) then yes, you have reason to be concerned. More importantly, you have reason not to ever use unencrypted logins, period.
Tor is only designed to hide your IP address, if you give your identity away in other ways it's a different issue entirely.
Logging into DSLR without SSL is hardly a big deal. Worst-case scenario somebody posts something obnoxious under your name. If you're logging into a site that can cause you serious trouble in real life, you would be foolish not to use encryption.
Again though, this isn't what Tor is about. Its purpose is to hide your IP address. Beyond that, security is up to you. Tor hides your IP address, just like it's designed to do. If you go blabbing all your other information via unencrypted connections it's really not Tor's fault.
--
What Would Jim Jones Do? |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | reply to B
said by B :Isn't there still a substantial difference between using "The Internet" and using Tor for unencrypted traffic? Isn't each "onion router" that touches your unencrypted traffic able to view that traffic? Well, no. Tor encryption makes it so that individual hosts can't compromise the traffic. Not only is the traffic itself encrypted as it's being relayed, but the only source and destination being seen by each OR are the source and destination of the previous and next hops. It's quite nice. Here's something about the encryption used:
said by the Tor website:
In the original Onion Routing design, a single hostile node could record traffic and later compromise successive nodes in the circuit and force them to decrypt it. Rather than using a single multiply encrypted data structure (an onion) to lay each circuit, Tor now uses an incremental or telescoping path-building design, where the initiator negotiates session keys with each successive hop in the circuit. Once these keys are deleted, subsequently compromised nodes cannot decrypt old traffic. But yeah, the last hop obviously sees the unencrypted traffic (if you didn't encrypt it yourself), and the source from their point of view is themselves, with a destination of your original destination. Return traffic goes backwards, with the destination being the previous Tor OR in the chain.
--
dmiessler.com - grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to B
Ah, but that's only the exit node, and only if you don't use SSL. 
The previous two nodes only got encrypted traffic and didn't even know what the final destination was. They couldn't see crap. The exit node needs to see the original data and the original destination in order to hand it off. The beauty of the system comes in the two hops before that, and the fact that even that exit node has no idea what the original source was.
--
dmiessler.com - grep understanding knowledge |
|
B
Premium,MVM
join:2000-10-28
1 edit | reply to wormie
said by wormie :Again though, this isn't what Tor is about. Its purpose is to hide your IP address. Beyond that, security is up to you. Tor hides your IP address, just like it's designed to do. If you go blabbing all your other information via unencrypted connections it's really not Tor's fault. Thanks guys; I understand better now -- the last hop onion router is the only one that sees the information in the clear, because it delivers to the destination. But here's the thing I think is being conveniently overlooked.
You say "it's not Tor's problem" and "its only purpose is to hide your IP address" but that's disingenuous -- because Tor is INTRODUCING a problem by the way it's fulfilling its IP-address-obscuring purpose.
It's NOT simply a drop-in replacement for normal unproxied connections because it ADDS a level of risk that was not there previously! That risk must be evaluated in any cost/benefit analysis of the technology.
I'm not saying it's a huge, deal-breaking risk, or that it could even be avoided, but it's there, and anyone using Tor should probably understand that. Their unencrypted communication can be clearly read by at least one computer that otherwise would not be privy to it. The degree of trust in that last-hop onion router must be paramount, I would think. Excusing it away with "oh you should use encryption anyway" seems a bit weak to me. (I generally trust Internet backbone routers and generally distrust public proxies.)
-- B
--
In a realm outside causality and function |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| reply to jp10558
said by jp10558 :Yeah, it's rather obvious that novaflare either has a woefully inadequate understanding of how TOR, SSL, Squid, DNS and multiple other web technologies function, or is a troll. The main point is, if you are ignoring SSL cert warnings on "secure" pages, then you're screwed whether you use TOR or not. This whole thing requires a user ignore and click through a scary "this site is not secure" dialog that even IE pops-up, and then enters personal information. To reiterate, the above "flaw" is in no way related to or assisted by TOR, it can happen via any number of phishing techniques such as e-mails, DNS poisioning, IM bombs, browser hijacks, Host's file compromise etc... Actually what i am is some one who has seen this all in the past. Tor claims you will be anon now but give them some time and they will disclaim it in such a way that all any web master needs do is request the logs. And guess what they will hand them over no question asked. Just like anonomizer does. Then there are infact alot of security threats to this see them or not they are there. Simply put once you leave the tor network your packets have to be in a unencrypted state or the web site in question wont give you any thing and you wont be able to log in.So on the exit node like it or not it can be seen in clear text. Course every one will deny it all and try to shoot down every argument made against tor. Then one day there will be reports of a compramise of personal information and it will be tracked down and turn out opps i was right all along. You can never be anon and be online. Big deal your ip belongs to some one elses computer. Go hack neweggs server while on tor and see how long your precious anon status last. Tor is nothing more than a troll tool a way for them to bypass bans just like all other proxies with a tiny number of exceptions.
You want to see the truth about tor fire it up come here and do a port scan shut down restart tor repeat. Then ask your self how many of these tor proxy servers are infected with all manner of spyware trojans keyloggers sniffers etc. Do you realy want to trust a computer whos owner doesnt even know to close off port 139 from the outside world? I found no less than 8 pcs running tor with 139 wide open out of 10 i checked. Out of those 10 3 had BO trojans running on them others had other trojan ports open. Then there is the 5 that have open mail relays (likly spam bots). Then there were 6 that have the port responsable for messenger spam open to the outside world as well. Then theres the ones running squid proxies open to the out side world. Squid was what i found to be responsable for credit card theft some time ago when soem 12 to 15 users of one site had their cc numbers stolen total charges for those users was over $18,000. Not all were able to have those charges removed. I try to point out somethign all users of this proxy net work should be aware of like a potential security threat and get called a troll. Get my argument shot down with out any proof to the contrary. In this thread i have been miss qouted half a dozen times. I mentioned that there was no need for a hacker to decrypt ssl or any other form of encryption by simply createing a custom page for log in cc etc info that also emails them the same information but with no encryption. And not all sites will present a warning about a invalid cert because your useing a cached copy of the page. In fact many sites wont includeign newegg. Dont forget many large isps also feed users cached pages. The sites that do give a warnign about ssl certs when the page is viewed from a cached copy in this case many users will ignore the warnings.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by novaflare :In this thread i have been miss qouted half a dozen times. I mentioned that there was no need for a hacker to decrypt ssl or any other form of encryption by simply createing a custom page for log in cc etc info that also emails them the same information but with no encryption. You ignore the facts, though, dude. Don't you realize that you have to be on the exit node in order to even see any traffic? If you are on one of the other two, Tor's encryption hides everything, including the real source and destination for the traffic.
You claim that we should disprove you. In fact, though, it is you making the claim that no one else here believes. The burden of proof is on you, my friend.
--
dmiessler.com - grep understanding knowledge |
|
novaflare
The Dragon Was Here
Premium
join:2002-01-24
Barberton, OH
| said by Daniel :said by novaflare :In this thread i have been miss qouted half a dozen times. I mentioned that there was no need for a hacker to decrypt ssl or any other form of encryption by simply createing a custom page for log in cc etc info that also emails them the same information but with no encryption. You ignore the facts, though, dude. Don't you realize that you have to be on the exit node in order to even see any traffic? If you are on one of the other two, Tor's encryption hides everything, including the real source and destination for the traffic.You claim that we should disprove you. In fact, though, it is you making the claim that no one else here believes. The burden of proof is on you, my friend. And where does this exit node reside? If im understanding this correwctly that exit node can reside on a infected pc or one set up with the express purpose of steeling personal information. Am i correct in asuming that the ip you see here and on other sites is your exit node im prety sure this is the case. Once on the exit node the trafic is then unencrypted and the only protection you have is ssl wich in the case of cached customized theft pages is pretty meaningless. Now i only made poc pages for 3 or 4 sites one being neweggs page for filling out cc etc information. What i foudn in new eggs case was a glaring lack of any warning about the ssl cert. The cert poped up just fine and was with out any warning that there was even a remote chance that it was in correct.
You have missed my point totaly. Im not saying that tor is any worse than any other anon prox service it may infact even be better than most. But the security threats are no diffrent. At the moment i have no computer that i can run squid on nor the time to recreate my poc pages. Heres some info to help get some one started. In 2 of my poc pages i simply used readly available code for contact us email forms where when you click submit it sends that information to a email address behind the scenes. I modded the code slightly and pasted it in to a origianl log in page for hotmails log in i also modded it slightly. To hide what i did so you couldnt tell by page size i stripped some white space till the pages sizes were identical. Other meathods you could use to get the same result is useing ssi to load your email me code in to the correct areas. All this would do is allow you to strip fewer whitespaces out. If such a page were to reside on a exit node on tor it would have the same exact effect. It would likly take a little more work but my guess is not much more. Will tor be a popular vector for this sort of thing? I think the answer to this is no hell even useing squid and other caching proxies isnt wide spread. The people who did this for the game in question were highly organised. All the various law enforcement people would tell us unrelated to our own case was that they had also done this and similar things with other sites. They also gave us a ruff idea of the total ammount of the theft wich was way over 3 million usd. They had only been doing it for about 6 to 8 months.
Aperrantly me and the others who worked out how this was done were instramental in catching these guys.To bad they never offered us any reward money in exchange for it.
I suppose i could create another POC page and build my old firewall box again and show you how it can be done. Youd have to connect to the tor network who knows how many times to get on my tor server but it could be done. I suppose a good example target would be hotmail again. Basically how i proved it was had some of the victoms create test hotmail accoutns useing log usernames and pass words. Then i just gave them their information they entered.
--
DSLR security chat at us.ausirc.net chanel #dslr_sec lets pack this channelopen source dns server for *nix and windows »powerdns.com |
|
BeesTea
Network Janitor
Premium,VIP
join:2003-03-08
00000
| said by novaflare :I suppose i could create another POC page and build my old firewall box again and show you how it can be done. Youd have to connect to the tor network who knows how many times to get on my tor server but it could be done. I suppose a good example target would be hotmail again. Basically how i proved it was had some of the victoms create test hotmail accoutns useing log usernames and pass words. Then i just gave them their information they entered. Yes, please do this.
Your posts show that you've little idea what you're talking about and that you haven't so much as read even the overview section of the tor whitepaper. You can post all the play along at home detective stories you'd like, they don't lend anything to your point and frankly I doubt a single person believes them.
Go set up your POC and stop wasting everyone's time.
--
"I can't stand the package managers that come with Linux. RPM, Portage, and the rest don't even let you build from source. The ports collection was all I needed." - Some FreeBSD jackass |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs: | reply to Daniel
Using this has, as any proxy I've tried before it, slowed my browsing to a crawl. |
|
cowboy
So Much For Subtlety
Premium
join:2000-03-14
Morgan Hill, CA
 ·Covad Communications
·DSL EXTREME
| reply to novaflare
If yoru behind a proxy one day and have a site tell you to "turn off your proxy then hit F5 to refresh after to view this web site" That is one of the sites i helped to secure. It scans some 35 proxy ports when you connect to the site.
hehe, I'll never be able to use one of your 'secure' sites... I'm not behind a proxy, but as soon as your scanner hits a few ports on my box it will automagically be firewalled to oblivion !
--
Richard Nelson |
|
NeOmega
join:2004-11-18
| reply to sivran
In response to Sivran:
(how do you get respond with quotes? Or is that premium member only?)
It will slow down your browsing always, technically.
It increases the amount of data flow to 512 bits/bytes or something like that, so no-one can see how much activity is being done. That's as far as I understood it in the FAQ's.
Also, you are adding extra hops, and usually exiting out of somewhere far away from your home.
But you really are not supposed to use Tor all the time, it will make you more traceable. You should use it on an as needed basis, IMHO.
anyways... here is the technical FAQ »wiki.noreply.org/noreply/TheOnio···r/TorFAQ
and I think it answers a lot of issues being raised here. |
|
inTulsa
Premium
join:2002-02-24
| reply to Daniel
Tor anonymizes by sending data through servers that your ISP wouldn't have. The potential problem is that you have to trust that those servers are not malicious in any way. I trust my ISP routing more than I can trust unknown / unpredictable servers.
I have my own HTTP proxy and other forms of proxies like SOCKS. It might amaze some people what can be done with content as it traverses connections. A proxy can modify (or log) any piece of content, or it can replace whole domains with "something else" without the user having any clue. My proxy spoofs Yahoo mail to look like a sub-path of my own domain; Gmail and hotmail appear to be other paths. Going the other way, spoofing hotmail with any other site or path, is really easy. It can also replace IP (no domain name) connection requests with different destinations, all done transparently.
Remember too that even Proxo can manipulate SSL content by playing MiTM. The only trick in doing that is the user importing a trusted certificate to avoid some browser warnings.
I believe that any benefit gained from becoming "anonymous" is not worth the potential loss of security, privacy, and in most cases performance. But some people have nothing really worth protecting, or the need to be occasionally anonymous is too great, so for them Tor and other anonymizer methods are a means to that end. I certainly wouldn't access email or key in a CC# through one. |
|
NeOmega
join:2004-11-18
| well I certainly would not trade stocks online, or use passwords, or any of the other stuff like that, through Tor.
But it is a little more convenient thaan any other method I've seen, for say, when someone stole your girlfriend's photography, posted it on a website, claiming it was his own, trademarked it, and when you call him on it, bans your IP from his website. |
|
Wildcatboy
Premium,Mod
join:2000-10-30
Toronto, ON
Host:
Security Product V..
Security
| reply to Daniel
I think what novaflare has been trying to say and hasn't been successful in conveying it, is that each Tor server belongs to a totally unknown and most likely untrusted user. The fact that the communication is encrypted won't be enough to stop compromise of your data.
I too haven't had a chance to read the complete overview of Tor but it would be great if someone could clarify this for me:
Let's say I build a Tor server and I also run a proxy server on it that directs all requests for paypal.com, eBay.com, major banks, etc... to my own version of those web pages residing on my server. What in Tor system prevents me from redirecting you to may page? You as a user try to go to paypal, you see my version of it which by the way is quite convincing and you enter your username and password. You can't login and you say to yourself "Oops, Paypal must be down." and move on.
I have your password and the encryption didn't do anything. So can someone tell me how Tor prevents me from doing that and what safeguards are in place? This is a question that novaflare has been asking and I haven't seen an answer for it yet or perhaps I missed it.
--
You can catch the Devil, but you can't hold him long. |
|
