Tor Used To Collect Embassy Email Passwords

← Back to Stories (view on slashdot.org)

Tor Used To Collect Embassy Email Passwords

Posted by kdawson on Tuesday September 11, 2007 @05:57AM from the getting-their-attention dept.

Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

3 of 99 comments (clear)

Min score:

Reason:

Sort:

Unencrypted traffic is always unencrypted by eknagy · 2007-09-11 06:04 · Score: 5, Funny

Well, the embassies should have used this new technology called "encryption". I heard that in the future, even browsers will support it...

eknagy
Lo dudo by Anonymous Coward · 2007-09-11 06:11 · Score: 5, Insightful

I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.

-AC
Re:Heh by kebes · 2007-09-11 06:59 · Score: 5, Informative

Indeed. This isn't a problem with TOR per se. If I'm reading the blog post correctly, the security issue he is really identifying is: "don't mix an anonymizer with identifiable actions."

Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.

However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.

Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.

The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories:
1. When browsing in a non-identifiable way, use TOR if you want anonymity.
2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.)
3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).

This is, at least, my understanding. Corrections and clarifications are welcome.