The last few weeks some incidents regarding information leaked from the TOR network hit the news (see my MediaDefender and Swedish hacker posts). In this post I will explain how this can happen, how you can try it out yourself and how you can protect yourself against it.
What happened?
People using the TOR network to guarantee their privacy have used the network to read their email and browse the web. Anytime you use an unencrypted protocol (e.g. HTTP, POP3, IMAP) some people participating in the TOR network can read your traffic. The TOR network has encryption in place, but only in the internal network. When your information is send from the TOR network to the internet server it is NOT encrypted, so the last TOR node can see your request (and response) in plain text.
How does it work?
So how do you setup a machine to get some information from the TOR network. It is actually pretty simple. You install a machine with your favourite OS (Linux, Windows or OSX), you install the TOR client software and configure it as an exit node. Now your TOR node is routing TOR traffic and people can also use it as an exit node to request information from the internet. The only thing left is to dump the unencrypted packets to disk for analyses. There are many ways to do that, but tcpdump or similar works fine. Later analysis can be done with the dsniff tools to extract passwords, emails and chat-conversations or ethereal for a full packet analysis.
Is TOR secure?
Yes it is. It is secure for the purpose it was made for. It is secure in protecting your anonymity by encrypting all the traffic between the TOR nodes and masking your ip address for the final destination, be it www.hotmail.com or any other server. It will however not protect you from the dangers of using an unencrypted protocol. There are some other security issues with TOR, but that is for a later blogpost.
How to protect against TOR exit-node sniffing?
Use encrypted protocols. Use SSL when using pop, imap or http. Use a extra SSL proxy layer while serving the web (e.g. proxify.com) and use POP3S and IMAPS when reading your email. Ask your email provider if these protocols are supported, most providers do.
5 comments:
pretty lame how to...
Thank you for your comment Anonymous.
Could you please point out the lame parts so I can make them more interesting for you? Maybe you like it more step-by-step or maybe more in-depth?
Yonathan
exactly..
using ssl can be defeated easily by a simple MITM attack.... sslstrip.....
with that of new of not the is can lot variety can http://poiskgruzov.net/forum/viewtopic.php?p=22022#22022
Post a Comment