Slashdot Mirror
Tor Used To Collect Embassy Email Passwords
Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.
Why are embassy officials using Tor? Trying to hide something?
...of a guy in a class I took who had packet sniffed our network, then reported my university e-mail password to me. Why? Because the university refused to enable SSL-secured POP3. A quick email reveals that, in fact, they were never planning to, and that I am just SOL.
Palm trees and 8
Of course something originally designed by the US Naval Research Laboratory and then spun off to an "independent pro-privacy group" such as the EFF would have loopholes, insecurities, and unwieldly aspects of it.
One thing that doesn't make sense to me: why does Tor operate MOSTLY over primary networks with non-tor functions? Doesn't it make sense that people who rely on Tor-offered anonymity would only operate the network bound to a specific NIC, a specific router and a specific network connection, separate from their main non-anonymous one? If anonymity is that important, why even bother trying to maintain an anonymous network connection concurrent with your non-anonymous one, with both utilizing the same single-point of exit/entry?
Doesn't make sense.
Well, the embassies should have used this new technology called "encryption". I heard that in the future, even browsers will support it...
eknagy
Oh, wait. This is how the feds set up their kiddy porn honeypots...
Tor uses the concept of 'onion routing' to obscure the source and destination of content passed through it. What this means is that, like an onion, content is wrapped in multiple layers of destinations and buried in the ground (or routed) until, after a delay, shoots come up (the headers are interpreted and the onion is passed to another destination) and ultimately the onion is ready to be dug out of the ground (the content reaches its destination).
Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security. That's a whole nother layer of complication, however.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
if you voluntary place the said man in the middle?
Of course Embassy officials have something to hide. In fact this raises a superb example of one of the legitimate, and useful, needs for Tor. There are a lot of people, mostly in law enforcement, who'd like to see all anonymity, and especially Tor, shut down. And I'm not just referring to Communist China.
And let us not forget that Onion routing was first officially developed, and published, by the U.S. Navy back in the 90's.
Now if only Slashdot would allow me to post via lynx through Tor. "Anonymous" my butt.
I'd hate to be around when you bake a pie.
I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.
-AC
I would be surprised to find that this is an acceptable policy in most governments. The US government, for example, is pretty restrictive with its systems, and Tor would not be tolerated if you got caught. Sounds to me like the biggest move that needs to be made is reprimanding or firing employees, not policy.
Unencrypted POP3 logins? Sheesh, even my Grandma uses SSL to check her mail.
So.... Which University?
If governments and embassies are using it then it's likely the system is relatively secure. What's likely to have happened is the Tor code was audited by said government(s) and found to be legit. Then the clueless diplomats were told "Hey, we've setup an anonymous browsing system for you. Browse away." Then the said diplomats go out and start browsing, thinking they're completely secure (i.e. don't need encryption, it's anonymous right?) The rest is history.
I wonder about the intelligence of sniffing Tor exit ports, then mentioning you've found some (unnamed) diplomats browsing with it. I mean, you may feel like James Bond but getting loaded into the back of a van in the middle of the night isn't any fun. Neither is having the skin peeled off your fingers one at a time.
Just saying.
I have a theory that the truth is never told during the nine-to-five hours. - Hunter S. Thompson
wtf is Tor?
I thought it was common knowledge that most exit routes were owned by the very people, people think they need to keep secrets from.
... but then again I grew up in Canada, not Bosnia or whatever :-)
Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts
Someday, I'll have a real sig.
Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.
That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
The summaries don't add much? Really? How about an explanation of what Tor actually is? Ars explains, Egerstad doesn't.
Someone who sits between sender and recepient who exchange unencrypted data can sniff it? Impossible! Stunning news!
/. should implement irony tags.
Which reminds me,
Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.
I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!
Sometimes I really wonder...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The problem here is not that people are using Tor, the problem is that many services use unencrypted connections and unencrypted passwords. Tor is merely a convenient way of exposing this, but the problem would exist even without Tor.
So, don't blame Tor, blame service providers that use unencrypted authentication, and blame people using these kinds of services.
It turns into a denial of service attack for that website on the tor network as a whole. Not terribly scary. Tor endpoints are just a few more open proxies, in the scheme of things.
Laws do not persuade just because they threaten. --Seneca
Laws do not persuade just because they threaten. --Seneca
Start with the Wikipedia article; this is a very, very cursory explanation.
Sites can use the HTTPS spec to transport data with end-to-end encryption. In short, the server sends you a certificate (a public key, meaning you can use it to encrypt things that only they can decrypt), which you use to encrypt a session key to send back to them, and you've got an encrypted link which is secure between you and the server.
However, you don't know who the server is; any black hat could be sitting between you and your bank, performing what's called a "man in the middle" attack. You send them your credentials over a wonderfully secure encrypted link... that doesn't go where you think it does; the black hats forward this information to your bank, and everything seems to work fine except that next week, your accounts are all empty. To solve this, those public keys that the servers send are signed by what are called "root certificates", which are generally installed along with your operating system, which is a secure second channel.
What that lock in the corner of your browser means is that the certificate that the site provided is signed by a root certificate that you have. In practice, it means that the site owner went through some kind of process involving proving to the holder of a root certificate that yes, they really are Amazon.com. (I believe that there was a scandal some time ago where some guy managed to get a certificate signed by a trusted issuer saying that he was Microsoft, but I might be wrong, as I can't find the story.)
So for a site owner to provide that little lock, they have to set up their server to do HTTPS, generate a cert and have it signed by one of the root certificate issuers. It's nontrivial, but anyone running a business pretty much has to do it, as only a complete nimrod would send credit care information unprotected across the wild and wooly internet.
(For more edification, here's a thread where some guy doesn't know what the protocol provides. What he doesn't understand is that there's absolutely no way apart from signatures on certificates to make sure you're not the subject of a man-in-the-middle attack.)
Laws do not persuade just because they threaten. --Seneca
If he didn't speak like a petulant teenager (heh, maybe he *is* a petulant teenager). ... probably easier to prove that I killed JFK. I'm a security specialist doing this stuff every day, always under controlled terms and completely legal. However being a bit DEranged I sometimes walk in the gray zone, exactly what it takes get stuff done. I fight criminals but when we have to play by the rules and they don't it's a tuff battle.
"walk in the gray zone", "I fight criminals", "it's a tuff battle".
Sounds like a "serious business".
weenie.
Try this site for the issue: http://www.css-security.com/downloads/papers/real_life_man-in-the-middle-attack.pdf
It does help a little to sign your own certs and inspect them ALL the time on every use. That is, if you DON'T get the pop-up, then you got someone in the middle. Remember this when you are at work, SSL can be decoded in the middle and re-encoded.
... editing Wikipedia entries ;)
It's amusing the toadies who are promoting the Communist-subsidized PR campaign to try and spin China as non-communist.
China may have tipped a very slight tad more towards fascism. But it's still clearly quite a central authoritarian state. The term Communist fits extremely well.
I have a blog post regarding this issue here: http://rabbi.vox.com/library/post/the-embassy-password-scandal-new-dog-old-trick.html
Most of the above comments have pointed out that, at its heart, this isn't a Tor issue, but an unencrypted password one. Furthermore, it's not even a new Tor issue -- I wrote a tech report about this in which I expressed concern that naive users might have more to fear from Tor exit node operators than from other surveillance due to the lack of ubiquitous crypto over a year ago (linked from my blog post), and the Tor FAQ explicitly calls attention to this, and has for some time (link also in my blog post.)
In my opinion, the onus is on the administrators of mail and other systems to simply disallow unauthenticated logins. It is ironic that many of the sites publishing this story themselves default to clear-text authentication -- in this day and age, that's sloppy. For an embassy or government agency, that's inexcusable.