jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to novaflare
Re: Anonymnity: Introduction To The Tor Network
said by novaflare  :said by jp10558 :said by Wildcatboy :I think what novaflare has been trying to say and hasn't been successful in conveying it, is that each Tor server belongs to a totally unknown and most likely untrusted user. The fact that the communication is encrypted won't be enough to stop compromise of your data. I too haven't had a chance to read the complete overview of Tor but it would be great if someone could clarify this for me: Let's say I build a Tor server and I also run a proxy server on it that directs all requests for paypal.com, eBay.com, major banks, etc... to my own version of those web pages residing on my server. What in Tor system prevents me from redirecting you to may page? You as a user try to go to paypal, you see my version of it which by the way is quite convincing and you enter your username and password. You can't login and you say to yourself "Oops, Paypal must be down." and move on. I have your password and the encryption didn't do anything. So can someone tell me how Tor prevents me from doing that and what safeguards are in place? This is a question that novaflare has been asking and I haven't seen an answer for it yet or perhaps I missed it. Well, with paypal - it is SSL before you ever enter your password. So, paypal prevents it with or without tor. eBay is the same. So, unless you somehow get a verisign SSL cert claiming you are eBay or Paypal, I don't get the problem... Every financial site I've seen is like this - and if you are in the habit of paying for things without it being secure, TOR isn't going to help - but I doubt it will hurt either. So, yes, I suppose you could spoof yahoo e-mail, but who's using TOR to access their e-mail anyway? I mean, if you have to authenticate yourself to the end site, I don't see how it was worth all the anonymizing steps... And if you mean to say you're spoofing google search, you're not getting private info that way... when your entering info in to a moded cached page it does not matter how secure the real site is. SSL never plays a part. Hell why even bother presenting the user with a cert fake or real. Most will asume this is normal and just enter and submit away. Url will show correct anti fishing apps and meathods will be no good etc. Ok, I don't know about IE, but in Opera, there's this big yellow bar that shows up in the address bar when the site is secure. It's not there if the site isn't SSL authenticated. If you have a spoof that pulls up that bar without a SSL Cert, I want to see it, so I can report the vulnerability to Opera.
At some point, you can't protect ignorant people. If these are the people falling for the nigerian scams etc... it doesn't matter if they have TOR or not. As I said before, there are numerous equivelent methods to phish them, and they are at equal risk without TOR.
Moreso, I'm guessing the people who even know about TOR, much less can manage to set it up, aren't technical neophytes, nor the best targets for phishing. IE, the people who don't use IE, and who know to look for SSL auth before inputting their CC#.
I'd also guess that these people would realise there is little point of using TOR to then tell the site who you are, where you live, and your CC# to order something on a legit site. There's little point using TOR to check yahoo e-mail, as I said before, if you are going to ID yourself to the end site, don't wast the time or overhead with TOR. It's pointless.
OTOH, if you aren't going to those sites for the reasons above, then the possible spoof sites aren't going to garner much information - One, you'll be seeing/spoofing the equivelent of google search, two, you'll only get 1-2 minutes of data before TOR yanks them to a different endpoint, so not enough to do much data anylsis on searches or whatever...
--
Opera 8.02(Build 7680); Windows XP Pro SP2;Athlon 64 3400+; 1GB PC3200 DDR; 1M/128k DSL; NOD32(Version 2.5.25); Sygate Pro 5.5(Build 2637);Proxomitron 4.5j Grypen 7/26/05(Opera mod),GPG ID:0x0A1C6EE3 |
