Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Used To Collect Embassy Email Passwords

Posted by kdawson on from the getting-their-attention dept.

Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

4 of 99 comments (clear)

  1. Legitimizes Tor by Anonymous Coward · · Score: 4, Insightful

    Of course Embassy officials have something to hide. In fact this raises a superb example of one of the legitimate, and useful, needs for Tor. There are a lot of people, mostly in law enforcement, who'd like to see all anonymity, and especially Tor, shut down. And I'm not just referring to Communist China.

    And let us not forget that Onion routing was first officially developed, and published, by the U.S. Navy back in the 90's.

    Now if only Slashdot would allow me to post via lynx through Tor. "Anonymous" my butt.

  2. Lo dudo by Anonymous Coward · · Score: 5, Insightful

    I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.

    -AC

  3. That's exactly what he did. by Valdrax · · Score: 4, Insightful

    Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.

    That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.

    --
    If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  4. What? No! Can't be! Impossible! by Opportunist · · Score: 4, Insightful

    Someone who sits between sender and recepient who exchange unencrypted data can sniff it? Impossible! Stunning news!

    Which reminds me, /. should implement irony tags.

    Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.

    I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!

    Sometimes I really wonder...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.