[Bulk] Re: The team of PayPal is a band of pigs and cads!
Paul Syverson
syverson at itd.nrl.navy.mil
Tue Aug 24 20:18:18 UTC 2010
On Tue, Aug 24, 2010 at 02:31:26PM -0500, David Carlson wrote:
> On 8/24/2010 5:09 AM, Michael Scheinost wrote:
>> On 08/23/2010 10:04 PM, David Carlson wrote:
>>> I am a newbie here. Since they use SSL, isn't it overkill to route your
>>> connection through Tor? I know it is a pain to switch Tor on and off
>> No, it's not an overkill since tor does not provide end-to-end
>> encryption, but anonymity on the level of IP addresses. Actually it is
>> highly recommended to use tor with ssl secured services:
>> https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad
>>
>> michael
> If I understand that correctly, it means that my ISP can tell that I am
> having a secure communication with, say, Paypal, even if the contents of my
> communication is encrypted. Is that correct? Wouldn't I be lost in the
> crowd of others also communicating with Paypal? If the ISP is unable to
> glean any information about the contents of my communication, where am I at
> risk?
>
Perhaps, but you are revealing to an eavesdropper anywhere between you
and the Paypal server that you, or at least someone at your IP
address, has a Paypal account, is logged into Paypal right now, etc.
Maybe for Paypal you personally don't care, but some no doubt will. A
related but perhaps clearer threat: if you have an account at some
small credit union where you used to live/work, logging in from
wherever you now live might be identifying of you to an eavesdropper,
could open you up to more plausible spear phishing, targetted DNS
redirection, etc.
There are many scenarios one could suggest. Some will apply to
you. Some won't. Maybe you don't think it is anyone's business at
Paypal whether you are at home right now as you log in or not. Or
maybe you are unhappy that someone who gets ahold of your account info
can now spoof you more convincingly because they also know your usual
IP address. If you are sure you have thought of all the current and
future threats for your particular usage and have decided that Tor is
unnecessary for your expected risk in that scenario, you could skip
it. To some extent you make those guestimates every time you step out
the door, or heck, into the bathtub. Tor is just another mechanism to
protect you in an uncertain world. But Tor was created to separate
identification from routing, and authenticated connections over
anonymous pipes was one of the intended uses.
Some examples of where that applies are at
https://www.torproject.org/torusers.html
aloha,
Paul
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list