Tor and HTTPS pages.

Discussion in 'privacy technology' started by lauren111, Jan 26, 2010.

Thread Status:
Not open for further replies.
  1. lauren111

    lauren111 Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    3
    I have a question about using Tor, Polipo, and HTTPS websites.

    When one uses Tor and Polipo the material is encrypted from my computer to the final Tor node. My ISP sees only that I am connecting to the first Tor node. The destination website sees only the IP of the final Tor node.

    If I connect to a HTTPS website then the data from the final Tor node to the HTTPS website is encrypted.

    However, my understanding is that Polipo cannot assess the material inside the SSL stream, and this is a security risk because the HTTPS website could, in theory, send web bugs which will not be checked by Polipo. I understand this.

    What I do not understand is the following comments from the Advice for Whistleblowers (UK) file located here: https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/ht4w/

    This says (in the section on open proxy servers):

    "Remember that using any SSL/TLS https:// encrypted proxy server session, or the mostly encrypted Tor proxy cloud, may protect the contents of your traffic from local snoopers, but if you have to login or otherwise authenticate to a web server or email system etc., then those details (including your real IP address) will still probably be logged by the target server, regardless of the link or session encryption, and so your whistleblower details may still be exposed, if that server is physically seized as evidence by the police or is sneakily compromised by intelligence agencies etc., either through technical hacking or bugging or by putting pressure on the systems administrators."

    Is there any validity to this comment that logging into an SSL websites means one's real IP is revealed? Why would this claim so?

    Thanks.
     
  2. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    This is talking about SSLstrip I think. Moxie broke SSL (https) last year so people were able to do all kinds of things like faking certificates and breaking into ssl streams. This is specifically applicable to tor exit nodes which could be doing this type of attack.
     
  3. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    As a Tor ignoramus, I read the key phrase to be "login or otherwise authenticate to a web server or email system etc.". That is, you lose anonymity if you're required to break anonymity (duh). What I don't understand is how that could reveal your true IP, if you're connected via Tor. And of course, you could make up anonymous login credentials, right?
     
  4. SteveTX

    SteveTX Registered Member

    Joined:
    Mar 27, 2007
    Posts:
    1,641
    Location:
    TX
    Running SSL means that the nodes inbetween you and the website cannot break into the conversation. With SSLstrip, they can get inbetween you in the server and pretend to be the server, not only revealing your identity through your login and injecting code to make your real IP leak, but also stealing your credentials.
     
  5. hierophant

    hierophant Registered Member

    Joined:
    Dec 18, 2009
    Posts:
    854
    OK, I get it. You're explaining one way for the SSL connection to the server to be "sneakily compromised by intelligence agencies etc.". I was focusing on the "if that server is physically seized as evidence" part. Thanks.
     
  6. ex_ployt_ed

    ex_ployt_ed Registered Member

    Joined:
    Jan 31, 2010
    Posts:
    26
    I have been searching for answers on this very question for some time now but have found only confusing and conflicting information- nothing clear and conclusive.

    I am hoping people will have some answers or at least helpful comments on any of the following.

    1.) How much of a threat, at this point, is the SSLstrip exploit to the average Tor user?

    2.) Articles I’ve read on the SSLstrip exploit said that the Tor users who were attacked had not noticed that the URLs they were at did not begin with https, thereby implying that doing so could have protected them.

    Yet, the same articles state (or at least strongly imply) just the opposite: that SSLstrip can, in fact, spoof URLs to appear as https as well as spoof SSL certificates to appear valid.

    3.) Would verifying the SHA1 hash in the SSL certificate be enough?
     
Loading...
Thread Status:
Not open for further replies.