Computer security lesson: TOR isn’t security
A Swedish computer security researcher has discovered that users of the TOR Internet service (which makes your Internet traffic more or less anonymous) apparently thought it also encrypted their computer traffic and made it secure — which it doesn’t.
Wired News reports:
A little over a week ago, Swedish computer security consultant Dan Egerstad posted the user names and passwords for 100 e-mail accounts used by the victims, but didn’t say how he obtained them. He revealed Friday that he intercepted the information by hosting five Tor exit nodes placed in different locations on the internet as a research project.
Egerstad was able to get email accounts and passwords and read emails sent by the worthies at the Iranian embassy, among other groups. Even though Egerstad is in Sweden and there were no U.S. government agencies whose Internet traffic he intercepted, the Web host that hosts his blog apparently got a take-down notice from some unnamed U.S. law enforcement agency. I wonder if Egerstad has revealed a U.S. intelligence gathering mechanism.
There’s another lesson in this, of course: This computer security stuff shouldn’t be taken lightly, and there’s a big dangerous world out there. Use good passwords. And use ‘https’ when you’re doing anything online that involves passwords or email you want to keep confidential.
Shava Nerad Said,
September 10, 2007 @ 6:59 am
I couldn’t agree more on the https thing with passwords. Although in this case the breach of security involves Tor, millions more accounts and passwords are probably exposed every day on open unencrypted wireless, for example.
It is important, I think, to understand that you should never give a username and password to a web site that has an “http” address, only to “https” addresses. A connection through Tor can be encrypted end-to-end — but only if one is communicating with a secure protocol — https: or encrypted chat both would be examples of this.
We are very careful, usually, to only put a credit card into a web page that has a “lock” symbol in the corner of the browser window. Everyone should be equally careful never to give a username and password to a page that is not “locked” — not secure. Will it take more than the decade since secure e-commerce sensitized us to financial info to sensitize ourselves to the usernames and passwords which often *guard* the financial info?
You should at the least use different passwords for insecure accounts, like those at wired.com, which ask you to give a username/password on an unencrypted link. But even this can open you up to people posting things you wouldn’t wish to have said in your name.
It is only through understanding our security online — through understanding tools such as Tor, and what https: means, and what a phishing attack is, and so on, that we can manage our risks online.
The last node through which traffic passes in the Tor network does not in fact need to pass data to the destination unencrypted — if the origin and destination are using a protocol that supports encryption.
You wouldn’t say that the people who make your backup software are at fault if they don’t force you to back up your files regularly. We, like the backup software creator, warn people in our documentation that the protection of Tor is not foolproof without educated and disciplined use. And like backup software, if you don’t use it right, it can do nothing to change what has already occurred.
We have advised, and continue to advise users of the Tor network to use encryption end-to-end whenever it is prudent and/or possible. But those end-to-end encrypted products (https, encrypted versions of email and chat) are available to the users in many forms — it would not be proper for us to dictate what people should use, but only encourage them to take precautions.