Tor and HTTPS pages.

I have a question about using Tor, Polipo, and HTTPS websites.

When one uses Tor and Polipo the material is encrypted from my computer to the final Tor node. My ISP sees only that I am connecting to the first Tor node. The destination website sees only the IP of the final Tor node.

If I connect to a HTTPS website then the data from the final Tor node to the HTTPS website is encrypted.

However, my understanding is that Polipo cannot assess the material inside the SSL stream, and this is a security risk because the HTTPS website could, in theory, send web bugs which will not be checked by Polipo. I understand this.

What I do not understand is the following comments from the Advice for Whistleblowers (UK) file located here: https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/ht4w/

This says (in the section on open proxy servers):

"Remember that using any SSL/TLS https:// encrypted proxy server session, or the mostly encrypted Tor proxy cloud, may protect the contents of your traffic from local snoopers, but if you have to login or otherwise authenticate to a web server or email system etc., then those details (including your real IP address) will still probably be logged by the target server, regardless of the link or session encryption, and so your whistleblower details may still be exposed, if that server is physically seized as evidence by the police or is sneakily compromised by intelligence agencies etc., either through technical hacking or bugging or by putting pressure on the systems administrators."

Is there any validity to this comment that logging into an SSL websites means one's real IP is revealed? Why would this claim so?

Thanks.

 

This is talking about SSLstrip I think. Moxie broke SSL (https) last year so people were able to do all kinds of things like faking certificates and breaking into ssl streams. This is specifically applicable to tor exit nodes which could be doing this type of attack.

 

As a Tor ignoramus, I read the key phrase to be "login or otherwise authenticate to a web server or email system etc.". That is, you lose anonymity if you're required to break anonymity (duh). What I don't understand is how that could reveal your true IP, if you're connected via Tor. And of course, you could make up anonymous login credentials, right?

 

Running SSL means that the nodes inbetween you and the website cannot break into the conversation. With SSLstrip, they can get inbetween you in the server and pretend to be the server, not only revealing your identity through your login and injecting code to make your real IP leak, but also stealing your credentials.

 

OK, I get it. You're explaining one way for the SSL connection to the server to be "sneakily compromised by intelligence agencies etc.". I was focusing on the "if that server is physically seized as evidence" part. Thanks.

 

I have been searching for answers on this very question for some time now but have found only confusing and conflicting information- nothing clear and conclusive.

I am hoping people will have some answers or at least helpful comments on any of the following.

1.) How much of a threat, at this point, is the SSLstrip exploit to the average Tor user?

2.) Articles I’ve read on the SSLstrip exploit said that the Tor users who were attacked had not noticed that the URLs they were at did not begin with https, thereby implying that doing so could have protected them.

Yet, the same articles state (or at least strongly imply) just the opposite: that SSLstrip can, in fact, spoof URLs to appear as https as well as spoof SSL certificates to appear valid.

3.) Would verifying the SHA1 hash in the SSL certificate be enough?