Tor and Webmail

[ykrapsp]

Hey there guys, just a quicky question.

Let's say im checking my mail via the web. Is there a possibility to eavesdrop while I'm using the Tor-bundle (with HTTPS-everywhere) on a HTTPS-website like hotmail.?

In my view, the owner of the exit node won't be able to sniff the traffic, since HTTPS-everywhere checks the certificate and enforces the webserver to use HTTPS, right?

And yes, I know its not wise to use webmail for Tor, but I'm just curious.

Thanks.

[EncryptedBytes]

As long as the website utilizes full SSL/TLS on the webpage you are viewing yes the exit node will not be able to see the contents of the packets. They will be able to see the destination address of where you are talking though your session will be secured.

[ykrapsp]

Okay, how do you make sure the web page is utilizing full SSL/TLS? Lets say I'm logging into my hotmail account via the web. Is there a way of checking this?

[EncryptedBytes]

Quote:

Originally Posted by ykrapsp

Okay, how do you make sure the web page is utilizing full SSL/TLS? Lets say I'm logging into my hotmail account via the web. Is there a way of checking this?

The absolute 100% method is to monitor your packet stream as the HTTPS connection is established. Though a more realistic approch, many current browsers today warn the user when a page has mixed encrypted and non-encrypted resources being presented. This happens on some sites for performance reasons. Sometimes static content that is not specific to the user or transaction is not private and usually delivered through a non-crypted front server or separate server instance with no SSL. This is a relatively small issue though through TOR the exit node can see this and in an extreme case piece together what your encrypted session may be about.

Hotmail should be fine, I still wouldn’t recommend using any webmail account you have very sensitive information however through TOR.

[x942]

Quote:

Originally Posted by EncryptedBytes

The absolute 100% method is to monitor your packet stream as the HTTPS connection is established. Though a more realistic approch, many current browsers today warn the user when a page has mixed encrypted and non-encrypted resources being presented. This happens on some sites for performance reasons. Sometimes static content that is not specific to the user or transaction is not private and usually delivered through a non-crypted front server or separate server instance with no SSL. This is a relatively small issue though through TOR the exit node can see this and in an extreme case piece together what your encrypted session may be about.

Hotmail should be fine, I still wouldn’t recommend using any webmail account you have very sensitive information however through TOR.

Adding to that Chrome Dev. build seems to block that non-crypted content on such a page by default. This will probably be pushed down stream to at some point.

[ykrapsp]

Ok thanks for clearing that up.

I'm currently testing out the liveCD Tails in Virtualbox for educative reasons. Added a NIC (NAT). Now I've got another question:

If I'm connected to the Tor-network inside the VM, will anyone inside the TOR-network be able to sniff my traffic on my host computer?

With host computer, I mean the computer that started the VM and is connected to my ISP (with their IP etc.)

[EncryptedBytes]

Quote:

Originally Posted by ykrapsp

Ok thanks for clearing that up.

I'm currently testing out the liveCD Tails in Virtualbox for educative reasons. Added a NIC (NAT). Now I've got another question:

If I'm connected to the Tor-network inside the VM, will anyone inside the TOR-network be able to sniff my traffic on my host computer?

With host computer, I mean the computer that started the VM and is connected to my ISP (with their IP etc.)

No, Does your computer have two separate NICs? If so then definitely no. The data you pipe through Tor is encrypted inside the network itself, no one can sniff it except for the exit node. Obviously traffic from your host will be going in the clear over your LAN.