Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Used To Collect Embassy Email Passwords

Posted by kdawson on from the getting-their-attention dept.

Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

7 of 99 comments (clear)

  1. Legitimizes Tor by Anonymous Coward · · Score: 4, Insightful

    Of course Embassy officials have something to hide. In fact this raises a superb example of one of the legitimate, and useful, needs for Tor. There are a lot of people, mostly in law enforcement, who'd like to see all anonymity, and especially Tor, shut down. And I'm not just referring to Communist China.

    And let us not forget that Onion routing was first officially developed, and published, by the U.S. Navy back in the 90's.

    Now if only Slashdot would allow me to post via lynx through Tor. "Anonymous" my butt.

  2. Lo dudo by Anonymous Coward · · Score: 5, Insightful

    I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.

    -AC

  3. This proves securty. by rubypossum · · Score: 1, Insightful

    If governments and embassies are using it then it's likely the system is relatively secure. What's likely to have happened is the Tor code was audited by said government(s) and found to be legit. Then the clueless diplomats were told "Hey, we've setup an anonymous browsing system for you. Browse away." Then the said diplomats go out and start browsing, thinking they're completely secure (i.e. don't need encryption, it's anonymous right?) The rest is history.

    I wonder about the intelligence of sniffing Tor exit ports, then mentioning you've found some (unnamed) diplomats browsing with it. I mean, you may feel like James Bond but getting loaded into the back of a van in the middle of the night isn't any fun. Neither is having the skin peeled off your fingers one at a time.

    Just saying.

    --
    I have a theory that the truth is never told during the nine-to-five hours. - Hunter S. Thompson
  4. Re:Encryption is difficult for laypersons. by morgan_greywolf · · Score: 2, Insightful

    Encryption is difficult for laypersons? The guy sniffed Web passwords. It's sooo much harder for a layperson to type https instead of http....

    --
    My blog
  5. That's exactly what he did. by Valdrax · · Score: 4, Insightful

    Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.

    That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  6. What? No! Can't be! Impossible! by Opportunist · · Score: 4, Insightful

    Someone who sits between sender and recepient who exchange unencrypted data can sniff it? Impossible! Stunning news!

    Which reminds me, /. should implement irony tags.

    Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.

    I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!

    Sometimes I really wonder...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Re:SSL Is Insecure unless... by turbidostato · · Score: 2, Insightful

    "Try this site for the issue"

    Can you please explain what this has to be (a faked root authority) with my question? Remember: I *already* have the site's public key; I don't need to be confident in *any* other third party.

    Even in the case from you article, remember that if your "MiM attack" strategy includes owning my box or the server, that's not a MiM attack anymore.

    "It does help a little to sign your own certs and inspect them ALL the time on every use."

    Wouldn't you find a little suspicious that while visiting a site which public key is already known by your client app it asks you to accept a new one?

    The attack presented in the article only works because your app doesn't know the public certificate from the server upfront (and I explicitly said that not being the case) and because you were fooled to accept services from an ill-behaving individual/company. If you think such foolery (or bad luck) is just a "new technologies" hazard, ask yourself about it next time you *physically* allow some unknown guy into your home "just" bacause he happens to wear your cable-tv company uniform.