Defeat Exit Node Sniffing?
Chris Palmer
chris at noncombatant.org
Sun Mar 2 21:15:57 UTC 2008
defcon writes:
> I have been using tor for a while now, and I absolutely love it, although
> the only thing keeping me from using it, is the insecurities of the exit
> nodes. I know to truly stay anonymous you should stay away from personal
> accounts "but" how can I connect through tor to gmail or other ssl enabled
> services without risking my password being sniffed or my dns request being
> hijacked. Any advice would be greatly appreciated!
The answer is to use SSL. I'm not sure but I think you meant to say "... or
other *non*-ssl enabled serviecs...".
In the particular case of Gmail: Gmail normally uses HTTPS for the login
phase but not thereafter. That is of course totally silly, because while the
attacker won't see your password they will still see your Gmail session
cookies. That's all they need to hijack your Gmail session -- they don't
need your password. BUT! the good news is that if you go to Gmail via
https://mail.google.com/, Gmail will use HTTPS for the entire session, not
just the login phase, and then you are as safe as anyone ever can be from
network eavesdroppers (including traffic-sniffing Tor operators).
Simiarly, when connecting to your Gmail Jabber account using a stand-alone
Jabber client (like say Pidgin), you can enable SSL for authentication
purposes, but I think your chats would still go in the clear. You can solve
that problem by using the Off The Record Pidgin plugin, which gives you
confidentiality (and perhaps other properties) for your chats.
For other non-SSL services, well... don't use them when you need security.
(When using Tor or otherwise.)
Also, see the Tor technical FAQ wiki entry for this:
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#head-5e18f8a8f98fa9e69ffac725e96f39641bec7ac1
More information about the tor-talk
mailing list