I named this thread after a previous one I found searching for Tor +encryption with Google, but got a message indicating that the thread last posed in Jan 2007 was too old to accept a new post. Hmm, different boards, different rules - anyway:

I found the following article which seems to refute some of the impresssions in the older thread about Tor regarding encryption (unless I totally misunderstand what is being said allowing for that possibility):

Ars Technica Article Security expert used Tor to collect government e-mail passwords (http://arstechnica.com/news.ars/post/20070910-security-expert-used-tor-to-collect-government-e-mail-passwords.html).

Old thread Tor and https (http://www.wilderssecurity.com/showthread.php?t=159882).

The question I have is does simply using Tor encrypt your communication from your desktop before it arrives at your ISP before it reaches a Tor entry node, or must you use some form of active encryption to encapsulate your desktop requests before the ISP sees them to prevent them from being compromised at the ISP. For example, like the use of GhostSurf Pro.

Just asking for comment - especially from Paranoid since (unless I am wrong - please tell if that is so) his answers in the old thread seemed to indicate that simply using Tor encrypts communication from the desktop before it arrives at the ISP on its way to a Tor entry node. The new article seems, on the other hand, to indicate that Tor does not encrypt inherently (i.e. no inboard encryption from Tor).

Please advise me if I have misunderstood anything.

Tia,

-- Tom

P.S. How does Tor provide encryption? I am not especially interested in whether https is being used, but more so when it is not.

post wiped by me
I'll just keep watching, sorry.

Lesson From Tor Hack: Anonymity and Privacy Aren't the Same
Article here (http://www.wired.com/politics/security/commentary/securitymatters/2007/09/security_matters_0920) By Bruce Schneier

-- Tom

{QUOTE->

Please advise me if I have misunderstood anything.
<-QUOTE}

Tia,

I think you may indeed have misunderstood.

Here (http://tor.eff.org/overview.html.en) is a picture diagram of how Tor works.

All outbound Tor connections are encrypted. They are encrypted while traveling through the Tor network. Upon exiting and going to the internet, and back from the internet to the Tor network, they are unencrypted. This is because the internet doesn't normally speak encrypted messages, due to CPU resources and bandwidth consumption that encryption uses. This paper was about how anyone who operates a tor computer that handles traffic leaving the tor network and going into the internet, can spy on the unencrypted traffic. This isn't anything new, this has always been a risk. To achieve full encryption, you should view websites in HTTPS when possible, but not all websites are HTTPS capable.

Regards,
Steve

Ok, so, the Tor client on the user's computer encrypts outbound traffic such that the ISP cannot see the contents of the traffic unless it is sent in an unencrypted form not using the Tor client (and thus not goind through the Tor network) from the user's computer.

So, if Alice and Jane or Alice and Bob want to insure that any traffic leaving the Tor network to their destination are not seen by intermediaries (such as an ISP) in clear text, they had better encrypt what they intend to send via Tor before sending a message from their Tor clients. That way, the unencrypted links in the diagrams are protected - as long as each sender/receiver knows the key to unencrypt the original message after it has left the Tor network. Alice and Dave could also to the same to insure that no one knows they are seeking/provinding data about the Tor network.

-- Tom