Downloading attachments with Tor - is this secure?
Aplin, Justin M
jmaplin at ufl.edu
Fri Jun 18 10:30:49 UTC 2010
On 6/18/2010 3:06 AM, Matthew wrote:
> Apologies in advance for the basic-ness of this question. I cannot
> find the answer with Google or in the Tor documentation.
I believe the answer you're looking for is #4 here:
https://www.torproject.org/download.html.en#Warning
> In these cases, how is the file downloaded? Does the download happen
> through HTTP/S? If I am using Polipo and Tor then I assume the file is
> downloaded as HTTP/S and goes through the Tor nodes like any "normal"
> HTTP/S traffic.
This depends on where you're downloading from. Tor encrypts everything
between you, the clients in your circuit, and the exit node. However,
when traffic enters or leaves the exit node, it is *exactly* as if the
exit node were visiting that website for itself. So, if you are
downloading over standard HTTP, *nothing between the website and the
exit node will be encrypted*. This usually isn't a terrible problem with
downloads that don't contain any personal information that leads back to
you, as it would be extremely difficult to follow the encrypted data
over several hops through the network.
*However*, as the documentation says repeatedly, use HTTPS wherever
possible, *especially* when communicating sensitive information that
could lead back to you. This way, the traffic between the exit node and
website is encrypted, and doubly so between you and the exit node. Much
less will be gained by examining the traffic coming to/from the exit.
Hope that answers your questions.
(Side Note: the above does not pertain to .onion websites or other
hidden services, which are contained completely within the network.)
~Justin Aplin
***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
More information about the tor-talk
mailing list