Tor Used To Collect Embassy Email Passwords

← Back to Stories (view on slashdot.org)

Tor Used To Collect Embassy Email Passwords

Posted by kdawson on Tuesday September 11, 2007 @05:57AM from the getting-their-attention dept.

Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

5 of 99 comments (clear)

Min score:

Reason:

Sort:

Raising the question... by InvisblePinkUnicorn · 2007-09-11 06:01 · Score: 2, Interesting

Why are embassy officials using Tor? Trying to hide something?
1. Re:Raising the question... by varmittang · 2007-09-11 06:58 · Score: 2, Interesting
  
  One person already brought up the idea that it could be hackers using tor, and that they are reading the emails of the embassy officials. tor just helps them cover their tracks.
  
  --
  -----BEGIN PGP SIGNATURE-----
  12345
  -----END PGP SIGNATURE-----
This reminds me... by betterunixthanunix · 2007-09-11 06:01 · Score: 4, Interesting

...of a guy in a class I took who had packet sniffed our network, then reported my university e-mail password to me. Why? Because the university refused to enable SSL-secured POP3. A quick email reveals that, in fact, they were never planning to, and that I am just SOL.

--
Palm trees and 8
Encryption is difficult for laypersons. by Sheetrock · 2007-09-11 06:05 · Score: 3, Interesting

Tor uses the concept of 'onion routing' to obscure the source and destination of content passed through it. What this means is that, like an onion, content is wrapped in multiple layers of destinations and buried in the ground (or routed) until, after a delay, shoots come up (the headers are interpreted and the onion is passed to another destination) and ultimately the onion is ready to be dug out of the ground (the content reaches its destination).

Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security. That's a whole nother layer of complication, however.

--

Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
Is it still called a man-in-the middle attack by joeflies · 2007-09-11 06:07 · Score: 4, Interesting

if you voluntary place the said man in the middle?