×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tor Used To Collect Embassy Email Passwords

kdawson posted more than 6 years ago | from the getting-their-attention dept.

Security 99

Several readers wrote in to inform us that Swedish security researcher Dan Egerstad has revealed how he collected 100 passwords from embassies and governments worldwide, without hacking into anything: he sniffed Tor exit routers. Both Ars and heise have writeups on Egerstad's blog post, but neither adds much to the original. It's not news that unencrypted traffic exits the Tor network unencrypted, but Egerstad correctly perceived, and called attention to, the lack of appreciation for this fact in organizations worldwide.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

99 comments

First? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#20557883)

First?

Raising the question... (2, Interesting)

InvisblePinkUnicorn (1126837) | more than 6 years ago | (#20557915)

Why are embassy officials using Tor? Trying to hide something?

Re:Raising the question... (3, Informative)

Anonymous Coward | more than 6 years ago | (#20557979)

Working at a ISP I know for a fact that the RCMP use to monitor the traffic of several embassies with a server installed at the ISP end.

Re:Raising the question... (1)

Achromatic1978 (916097) | more than 6 years ago | (#20562749)

Wow. You're claiming, AC of course, that the Canadian Mounted Police have active espionage of foreign governments. That's an interesting claim. Do go on.

Re:Raising the question... (1)

Plutonite (999141) | more than 6 years ago | (#20567913)

You think this is far fetched? I have a friend who is an ambassador in the US, and he told me he never talks about anything controversial in the embassy. When they need to discuss something, they go to a restaurant. ALL embassies are spied upon by US intelligence of course. This is supposed to be common knowledge.

Re:Raising the question... (1)

aristotle-dude (626586) | more than 6 years ago | (#20568007)

I think he is confusing the RCMP with CSIS although there is a connection between CSIS and the RCMP and CSIS grew out of the RCMP.

Re:Raising the question... (0)

Anonymous Coward | more than 6 years ago | (#20574807)

It may have been CSIS, or could have been both. I only know my boss said they were from the RCMP when they came in for server maintenance. Basically all traffic that was intended for the embassies was also sent to their machine, which did whatever. I was here once when they came in but had to leave, only two people were authorized to be in the area when they came in to do work on the machine.

Re:Raising the question... (1, Informative)

Anonymous Coward | more than 6 years ago | (#20566719)

Working at a ISP I know for a fact that the RCMP use to monitor the traffic of several embassies with a server installed at the ISP end.

I doubt it. Decades ago it would have been the RCMP, but today that falls under the domain of the Communications Security Establishment, not the RCMP.

The CSE is Canada's version of the NSA. Betcha didn't know that! We're like a grown-up country after all!

Legitimizes Tor (4, Insightful)

Anonymous Coward | more than 6 years ago | (#20558095)

Of course Embassy officials have something to hide. In fact this raises a superb example of one of the legitimate, and useful, needs for Tor. There are a lot of people, mostly in law enforcement, who'd like to see all anonymity, and especially Tor, shut down. And I'm not just referring to Communist China.

And let us not forget that Onion routing was first officially developed, and published, by the U.S. Navy back in the 90's.

Now if only Slashdot would allow me to post via lynx through Tor. "Anonymous" my butt.

Re:Legitimizes Tor (0)

Goaway (82658) | more than 6 years ago | (#20560537)

Slashdot knows that far more than a tool to promote freedom, Tor is a tool to get around IP blocks when attacking websites.

So block the exit nodes. (1)

Grendel Drago (41496) | more than 6 years ago | (#20563585)

It turns into a denial of service attack for that website on the tor network as a whole. Not terribly scary. Tor endpoints are just a few more open proxies, in the scheme of things.

Re:So block the exit nodes. (1)

Goaway (82658) | more than 6 years ago | (#20564127)

Well, that's what you end up doing, but that takes a lot of effort and time, and you have to let the attacker keep attacking to find out what the exit nodes are.

Re:So block the exit nodes. (1)

TheGreek (2403) | more than 6 years ago | (#20570447)

[...] and you have to let the attacker keep attacking to find out what the exit nodes are.
Or you can just use a DNSBL [sectoor.de].

Re:So block the exit nodes. (1)

Goaway (82658) | more than 6 years ago | (#20571571)

A nice thought, but:

We list every IP which is known to run a tor server and allow their clients to connect to one of the following ports:
25, 194, 465, 587, 994, 6657, 6660-6670, 6697, 7000-7005, 7070, 8000-8004, 9000, 9001, 9998, 9999
So it seems to be somewhat less effective for web sites, as 80 is not on the list. Of course, maybe it includes most Tor exit nodes anyway, I don't know how many would allow 80 but none of the above.

Re:Legitimizes Tor (0)

Anonymous Coward | more than 6 years ago | (#20562065)

What's with people calling Chine communist? Do you say "Democratic North Korea" too?

If it looks like a duck, acts like a duck, and calls itself a giraffe, is it a giraffe?

Quite being a shill (0)

Anonymous Coward | more than 6 years ago | (#20567117)

It's amusing the toadies who are promoting the Communist-subsidized PR campaign to try and spin China as non-communist.

China may have tipped a very slight tad more towards fascism. But it's still clearly quite a central authoritarian state. The term Communist fits extremely well.

Re:Legitimizes Tor (1)

Sancho (17056) | more than 6 years ago | (#20565481)

Of course Embassy officials have something to hide. In fact this raises a superb example of one of the legitimate, and useful, needs for Tor.
Yeah, because a VPN to the homeland wouldn't work better.

Re:Raising the question... (2, Interesting)

varmittang (849469) | more than 6 years ago | (#20559239)

One person already brought up the idea that it could be hackers using tor, and that they are reading the emails of the embassy officials. tor just helps them cover their tracks.

Re:Raising the question... (0, Redundant)

godzilla808 (586045) | more than 6 years ago | (#20563889)

>tor just helps them cover their tracks.

More than that: tor gives them access in the first place. It's a lot easier to set up a node and sniff it than to hack in to a network device that would otherwise have access to all of that traffic.

Being in hostile territory, I can see tor being an effective way for getting information out of the country, but the problem is--like the blogger stated--that the traffic should be encrypted *before* it's even put on the tor network so that it will be protected as it leaves the exit node.

Re:Raising the question... (1, Funny)

Anonymous Coward | more than 6 years ago | (#20559905)

No, I'm sure nobody would have any reason for hiding their true identity on the internet if they weren't doing something nefarious, mister ... InvisiblePinkUnicorn.

Re:Raising the question... (1)

dashslotter (1093743) | more than 6 years ago | (#20560475)

Like you wouldn't if you were on an island of "soverign territory" in the middle of a foriegn country. Obviously, the prudent thing to do is to let all of your communication with your home country be wide open. How about this bridge I got for you?

Re:Raising the question... (1)

zippthorne (748122) | more than 6 years ago | (#20563739)

Um.. just use good ol' AES-256 or whatever? I mean, it's not like the host country is going to be suspicious of communications directed at your home country, so there's not really any reason to disguise the destination.

I can't think of any good reason to use TOR from an embassy unless you are keeping secrets from your own country. In which case, maybe you ought to consider not committing treason.

Re:Raising the question... (1)

osu-neko (2604) | more than 6 years ago | (#20565087)

Ah, you're from that fantasy world where government employees never abuse government power. Alas, most of us live in the world where government employees invariably abuse any power given to them, sooner or later...

Re:Raising the question... (1)

cowbutt (21077) | more than 6 years ago | (#20569703)

I can't think of any good reason to use TOR from an embassy unless you are keeping secrets from your own country. In which case, maybe you ought to consider not committing treason. How about OSINT [wikipedia.org] without letting your target know what you're taking an interest in? Still, dumb to leave it enabled all the time (or even have it configured on your 'normal' machine), unless it's an active disinformation programme!

Re:Raising the question... (1)

Jugalator (259273) | more than 6 years ago | (#20562679)

Many possible answers... But I think the most likely is that they may not be using Tor, but others already having hacked their account and those may have very good reasons trying to hide their actual locations. I think that's the most likely answer, because if the embassies are as careful as to routinely use Tor, they'd also know what encrypted e-mail is.

But sure, there's the small chance they do want to hide sensitive correspondence. And actually, I hope they are trying to, for a number of reasons, so it's a bit sad to see this traffic was unencrypted. This is often not about secret government conspiracies, but for example dealing with personal details of people in endagered situations, or helping/arranging other things you may not want the whole world to know all the details about. Setting up meetings, or for something wildly different, for example the Swedish embassy was in heavy activity during the 2004 Indian Ocean earthquakes, and helped coordinate the rescue operations and cataloguing injured and deceased parents and children. They also try keeping up to date with situations in unstable countries, and helping people reach their home countries, getting their locations, etc.

And I wouldn't like things like these to suddenly pop up at a semi-defaced looking website put up by some Turkish hacker with an agenda. :-( Unfortunately, this is evidence that their security could be tightened and I'm glad this hasn't happened in a time of crisis somewhere.

Re:Raising the question... (1)

JonathanR (852748) | more than 6 years ago | (#20566365)

Since your questions are apparently rhetorical, and structured to imply motives of people who use TOR (trying to hide something), your post is actually dangerously close to begging the question. [wikipedia.org]

This reminds me... (4, Interesting)

betterunixthanunix (980855) | more than 6 years ago | (#20557923)

...of a guy in a class I took who had packet sniffed our network, then reported my university e-mail password to me. Why? Because the university refused to enable SSL-secured POP3. A quick email reveals that, in fact, they were never planning to, and that I am just SOL.

Re:This reminds me... (1)

Rakishi (759894) | more than 6 years ago | (#20558371)

Meh. My internet connection is inherently insecure although it's free so I don't mind too much. I use ssh to a linux server I own as a proxy for anything that I don't want read by others.

Re:This reminds me... (2, Funny)

betterunixthanunix (980855) | more than 6 years ago | (#20558437)

I used the same trick in high school to get around a really annoying filter. This filter would sometimes block slashdot because there were too many curses, "sexual references," or just because the random block feature was active. A quick SSH to a box outside of the school, run w3m (our connection was pretty bad, so I needed to save some bandwidth), and I have the unfiltered web.

Re:This reminds me... (2, Informative)

Abcd1234 (188840) | more than 6 years ago | (#20559311)

Or just run openssh with the -D option, which sets up a dynamic proxy that conforms to the SOCKS protocol, and then just point your browser at it.

Assuming, of course, you had access to openssh.

Re:This reminds me... (0)

Anonymous Coward | more than 6 years ago | (#20563413)

...and this has what to do with people dumb enough to log onto "secure" sites via http, and with someone finding a way to route that traffic past him to read it?

(mod parent "irrelevant" +/-1 as you wish)

The obvious question (0)

Anonymous Coward | more than 6 years ago | (#20558419)

So.... Which University?

Re:This reminds me... (2, Funny)

pclminion (145572) | more than 6 years ago | (#20558745)

Heh. When I was in school, people would come to me if they'd forgotten their email password, because they knew I had all of them :-)

Re:This reminds me... (3, Informative)

SCHecklerX (229973) | more than 6 years ago | (#20559109)

if you have an account on the box hosting the pop server, and can use ssh, then just forward pop over ssh. Otherwise, that sucks, you're screwed.

Re:This reminds me... (1)

symes (835608) | more than 6 years ago | (#20560313)

I overcome my lack of anonymity over email by writing such inane boring tedious drivel to no one in particular so that no one in their right mind could possibly want to read... zzzzz /marvin

Re:This reminds me... (1)

Hatta (162192) | more than 6 years ago | (#20560323)

Not much point in that. What he should have done was sniff the admin's email password. Then send him an email with the sniffer log, from his own email address. That'll get the message through.

Re:This reminds me... (1)

canuck57 (662392) | more than 6 years ago | (#20561889)

Don't put too much faith in SSL. Yep, even with SSL, someone can play a man in the middle attack on you.

Use PGP if it is email. But the envelope still must disclose the destination mailbox. But it could be a simple gmail account as the destination as not to give out the recipient.

IPSec is a better choice for remote services. The only thing you give up there is 2 end points and a byte count.

If it is anonymous you want, lots of subtle ways to hide messages in the Internet. More than I could count.

How? (1)

Grendel Drago (41496) | more than 6 years ago | (#20563625)

Yep, even with SSL, someone can play a man in the middle attack on you.
Assuming your host-based authentication is legit... how can that be done? I thought the whole point of SSL was to prevent man-in-the-middle attacks.

Re:How? (1)

Architect_sasyr (938685) | more than 6 years ago | (#20564099)

I'm sure we're all familiar with Dugg's dsniff package which contains the tools to do an SSL MITM attack... getting it to work for a client would, in my untested opinion, require remote penetration of the client computer and uploading of a root certificate which the attacker owns. Alternativly, buying a certificate from Verisign or some other online-certificate signer with the appropriate host name should be more than enough to get a certificate that is useful to the attacker.

Perhaps there are other aspects of HBA that I am ignoring (probably is considering how early it is in the land of Oz) but that should be enough... perhaps some ARP spoofing if you can get to a LAN or router hijacking if you can not.

Anyone else have a suggestion/opinion?

And why exactly was an embassy *allowing* tor out... seems like sloppy security on their behalf.

My $0.02 AU

Re:This reminds me... (2, Informative)

turbidostato (878842) | more than 6 years ago | (#20563975)

"Don't put too much faith in SSL. Yep, even with SSL, someone can play a man in the middle attack on you."

Just tell me how do you expect to launch a MiM attack against a site I got the public key already on hand. Yeah, well, not a valid case for a USA high school where -it's commonplace, students usually reside up to ten thousand miles away from the premises.

"IPSec is a better choice for remote services."

Yessir, specially when you only can make one side agree. Surely forcing an IPSec tunnel to any single student that wants just to download her e-mail from the school server is the proper, mensurated, well engineered solution for the problem. Just using POP3S? Naaah!

SSL Is Insecure unless... (1)

canuck57 (662392) | more than 6 years ago | (#20564183)

Try this site for the issue: http://www.css-security.com/downloads/papers/real_life_man-in-the-middle-attack.pdf [css-security.com]

It does help a little to sign your own certs and inspect them ALL the time on every use. That is, if you DON'T get the pop-up, then you got someone in the middle. Remember this when you are at work, SSL can be decoded in the middle and re-encoded.

Re:SSL Is Insecure unless... (2, Insightful)

turbidostato (878842) | more than 6 years ago | (#20564549)

"Try this site for the issue"

Can you please explain what this has to be (a faked root authority) with my question? Remember: I *already* have the site's public key; I don't need to be confident in *any* other third party.

Even in the case from you article, remember that if your "MiM attack" strategy includes owning my box or the server, that's not a MiM attack anymore.

"It does help a little to sign your own certs and inspect them ALL the time on every use."

Wouldn't you find a little suspicious that while visiting a site which public key is already known by your client app it asks you to accept a new one?

The attack presented in the article only works because your app doesn't know the public certificate from the server upfront (and I explicitly said that not being the case) and because you were fooled to accept services from an ill-behaving individual/company. If you think such foolery (or bad luck) is just a "new technologies" hazard, ask yourself about it next time you *physically* allow some unknown guy into your home "just" bacause he happens to wear your cable-tv company uniform.

Heh (2, Funny)

dada21 (163177) | more than 6 years ago | (#20557961)

Of course something originally designed by the US Naval Research Laboratory and then spun off to an "independent pro-privacy group" such as the EFF would have loopholes, insecurities, and unwieldly aspects of it.

One thing that doesn't make sense to me: why does Tor operate MOSTLY over primary networks with non-tor functions? Doesn't it make sense that people who rely on Tor-offered anonymity would only operate the network bound to a specific NIC, a specific router and a specific network connection, separate from their main non-anonymous one? If anonymity is that important, why even bother trying to maintain an anonymous network connection concurrent with your non-anonymous one, with both utilizing the same single-point of exit/entry?

Doesn't make sense.

Re:Heh (3, Informative)

charlesnw (843045) | more than 6 years ago | (#20558393)

Um. Have you ever used Tor? Did you read the article or even the summary? There is NO MENTION of any vunerabilites in Tor. You are implying that Tor is back doored or somehow otherwise vunerable. This is not the case or what happened here. The information gathering occured via sniffing of an exit router.

Re:Heh (5, Informative)

kebes (861706) | more than 6 years ago | (#20559257)

Indeed. This isn't a problem with TOR per se. If I'm reading the blog post correctly, the security issue he is really identifying is: "don't mix an anonymizer with identifiable actions."

Quite simply, TOR is a system to anonymize, so that the website you are going to can't tell who you are. (e.g. can't correlate between repeated visits, can't use your IP to track you down, etc.) As long as you a surfing in a non-identifiable way, even the exit node doesn't know anything about you, and can't determine which requests came from you, as opposed to someone else in the TOR network.

However, if you use TOR in an identifiable way, such as sending a plaintext email (which has plaintext "To" and "From" fields), then you're not using TOR properly. You are inherently exposing yourself, and the exit node can now learn quite a bit about you. If you are connecting to resources without encryption, then the exit node can sniff the data.

Normally, though, you wouldn't use TOR in combination with a secure site you are logging into, anyway. (What's the point in anonymizing your IP address if you log in with your easily-identifiable username, anyways? The site is obviously going to identify you!) So, really, you should not just turn TOR on and then forget about it, because you shouldn't be sending your email through TOR, nor logging into sites using TOR.

The lesson to learn from his blog post, which he doesn't state plainly enough, is that you should split your web-usage into categories:
1. When browsing in a non-identifiable way, use TOR if you want anonymity.
2. When accessing/logging-in to a trusted resource, don't use TOR. (This includes email, etc.)
3. If you need to access a specific resource while maintaining anonymity, use TOR but make sure you use strong end-to-end encryption for the entire session (and not merely encryption for the login phase).

This is, at least, my understanding. Corrections and clarifications are welcome.

Re:Heh (4, Informative)

HTH NE1 (675604) | more than 6 years ago | (#20559929)

You can use it in a personally identifying way if what you want to conceal is not your identity but rather your location, or you have a need to communicate securely at your local end so that others at your end won't know where you're going.

There's a balance to be struck with anonymity and security and where you strike it depends on what aspects need to be anonymous and what other aspects need to be secure.

Re:Heh (0)

Anonymous Coward | more than 6 years ago | (#20560761)

While it's a system to surf anonymously there is one pet peeve I have in even using it. When surfing I would prefer to filter out IP ranges. In terms of security, would you want someone from a hostile country to gather information about you. I understand that some of these systems are designed without any auditing capabilities but at the same time how will the end user know that's the case. If Privoxy or even tor could provide a way to filter IP ranges instead of just filtering hostile code then it would be much more secure.

Yes, if you do use tor to login to anything you would almost be a fool just for the reason listed above. Ultimately, you don't really know what server you are using and configuring a tor server is pretty simple especially when they advertise it on their site. Basically, it means anyone with malicious intent can setup a Trojan horse. The IP filter would fix one thing but setting up something like p2p based deployment for tor would speed up download times and limit the amount of information accessed through each connection.

I can't say that I agree with some of the reasons why people use this technology but in terms of Military use, not to mention corporate or Private Intellectual Property endeavors, certain types of information should be protected. It doesn't mean people are doing something malicious, it just means that people are trying to protect their self interest so they can provide welfare for themselves and their families. I don't necessarily like this technology for reasons where there could be extremists who would use it to cover their tracks. Even then they have ways of doing this in our open networks as it is. All they would have to do is go to a cyber cafe or a variety of other options. In the end anonymity over the net wouldn't really change anything. All it would do is make it easier for malicious users to trust using their own local machine instead of trying to leach off of someone else's bandwidth. All in all, it's seems like a false sense of security to me.

I'd find it easier to take seriously ... (0)

Anonymous Coward | more than 6 years ago | (#20563981)

If he didn't speak like a petulant teenager (heh, maybe he *is* a petulant teenager). ... probably easier to prove that I killed JFK. I'm a security specialist doing this stuff every day, always under controlled terms and completely legal. However being a bit DEranged I sometimes walk in the gray zone, exactly what it takes get stuff done. I fight criminals but when we have to play by the rules and they don't it's a tuff battle.

"walk in the gray zone", "I fight criminals", "it's a tuff battle".

Sounds like a "serious business".

weenie.

Re:I'd find it easier to take seriously ... (1)

QuickFox (311231) | more than 6 years ago | (#20567793)

Tuff is the Swedish word for tough, so that's a natural mistake for a Swede.

But I agree that he sounds very much like some petulant teenager. His tone doesn't exactly inspire confidence.

Re:Heh (1)

Veinor (871770) | more than 6 years ago | (#20559459)

So basically, you're saying that Tor is insecure because it can't make clients expecting plaintext understand encrypted messages? I don't think you know how Tor works.

Re:Heh (1)

discord5 (798235) | more than 6 years ago | (#20561097)

I'd mod you overrated, but knowing slashdot you'd be modded back up in a couple of minutes.

First of all, you didn't bother reading the article (yeah, I know, slashdot and all that). The sniffing happened at the exit nodes, which are the last nodes in the chain, which must communicate with whatever the client is trying to communicate. If the server you're trying to reach doesn't speak something encypted, tor doesn't magically make this encrypted.

Second, unless you're a complete dimwit, you know that traffic on the exit node is not secure. If you bother reading the website on how tor works, they explain to you that the exit node sends out traffic as is. So, if you set up an exit node, you can see whatever is unencrypted. This means, if you're running an exit node, you might be lucky enough to grab someone's login name and password from an unencrypted connection. Apparently you don't need too much luck though, since 5 exit nodes seems to be enough to collect a lot of passwords.

Finally, I don't really understand why embassies would want to use tor instead of their own proxy network which they can control themselves. Tor is more than obviously a bad choice for this kind of thing. Don't even get me started on non-encrypted transmission of sensitive data.

Unencrypted traffic is always unencrypted (5, Funny)

eknagy (1056622) | more than 6 years ago | (#20557981)

Well, the embassies should have used this new technology called "encryption". I heard that in the future, even browsers will support it...

eknagy

Encryption is difficult for laypersons. (3, Interesting)

Sheetrock (152993) | more than 6 years ago | (#20558025)

Tor uses the concept of 'onion routing' to obscure the source and destination of content passed through it. What this means is that, like an onion, content is wrapped in multiple layers of destinations and buried in the ground (or routed) until, after a delay, shoots come up (the headers are interpreted and the onion is passed to another destination) and ultimately the onion is ready to be dug out of the ground (the content reaches its destination).

Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security. That's a whole nother layer of complication, however.

apples and onions (3, Funny)

Anonymous Coward | more than 6 years ago | (#20558097)

I'd hate to be around when you bake a pie.

Re:Encryption is difficult for laypersons. (4, Funny)

Ford Prefect (8777) | more than 6 years ago | (#20558295)

Unfortunately, it's possible to tell it's still an onion by the time it reaches your house. And that's what this article is referring to. If you wrapped an apple in an onion (used secure public key encryption) then you have an additional layer of security.

You know, not everybody likes onions. Cake! Everybody loves cakes! Cakes have layers!

...

You know what else everybody likes? Parfaits. Have you ever met a person, you say, "Let's get some parfait," they say, "Hell no, I don't like no parfait"? Parfaits are delicious.

Re:Encryption is difficult for laypersons. (0)

Anonymous Coward | more than 6 years ago | (#20564081)

Bravo, good sir!

Re:Encryption is difficult for laypersons. (2, Insightful)

morgan_greywolf (835522) | more than 6 years ago | (#20558633)

Encryption is difficult for laypersons? The guy sniffed Web passwords. It's sooo much harder for a layperson to type https instead of http....

Re:Encryption is difficult for laypersons. (2)

hax0r_this (1073148) | more than 6 years ago | (#20559265)

Does that work on any web page, or does it have to be specifically enabled? How can I know if the connection is secure? And when I click a link will that also use 'https'?

Re:Encryption is difficult for laypersons. (1)

CoreDump01 (558675) | more than 6 years ago | (#20561749)

Does that work on any web page, or does it have to be specifically enabled? How can I know if the connection is secure? And when I click a link will that also use 'https'?


For someone calling himself hax0r_this, you are awfully uninformed.

Of course the webserver (apache or whatever) must have SSL installed, enabled and configured for any (virtual) domains you are trying to reach via SSL. I haven't used too many different Linux distros but I believe it would be safe to say that SSL is not enabled by default these days as it adds quite a bit of CPU overhead on busy sites (or so I heard).

Your Browser of Choice will display a little "Lock" symbol in its status bar and / or recolor the address bar when you are connected via SSL, it is easy to spot once you know what to look out for.

If the links are coded properly, then yes, all local links in a webpage will use SSL / https instead of http.

Re:Encryption is difficult for laypersons. (1)

Ford Prefect (8777) | more than 6 years ago | (#20563101)

SSL is not enabled by default these days as it adds quite a bit of CPU overhead on busy sites (or so I heard).

Plus, it's close to worthless without some kind of digitally signed certificate proving that your encrypted connection is talking to the website you want to be talking to...

Otherwise, that dodgy last layer of the Tor cake closest to the website could be talking SSL to your browser, and SSL to the website - but acting as a man-in-the-middle, eavesdropping on everything being said. Imaginatively, this is called a man-in-the-middle attack.

A very brief overview of HTTPS. (1)

Grendel Drago (41496) | more than 6 years ago | (#20563957)

Start with the Wikipedia article [wikipedia.org]; this is a very, very cursory explanation.

Sites can use the HTTPS spec to transport data with end-to-end encryption. In short, the server sends you a certificate (a public key, meaning you can use it to encrypt things that only they can decrypt), which you use to encrypt a session key to send back to them, and you've got an encrypted link which is secure between you and the server.

However, you don't know who the server is; any black hat could be sitting between you and your bank, performing what's called a "man in the middle" attack. You send them your credentials over a wonderfully secure encrypted link... that doesn't go where you think it does; the black hats forward this information to your bank, and everything seems to work fine except that next week, your accounts are all empty. To solve this, those public keys that the servers send are signed by what are called "root certificates", which are generally installed along with your operating system, which is a secure second channel.

What that lock in the corner of your browser means is that the certificate that the site provided is signed by a root certificate that you have. In practice, it means that the site owner went through some kind of process involving proving to the holder of a root certificate that yes, they really are Amazon.com. (I believe that there was a scandal some time ago where some guy managed to get a certificate signed by a trusted issuer saying that he was Microsoft, but I might be wrong, as I can't find the story.)

So for a site owner to provide that little lock, they have to set up their server to do HTTPS, generate a cert and have it signed by one of the root certificate issuers. It's nontrivial, but anyone running a business pretty much has to do it, as only a complete nimrod would send credit care information unprotected across the wild and wooly internet.

(For more edification, here's a thread where some guy doesn't know what the protocol provides [slashdot.org]. What he doesn't understand is that there's absolutely no way apart from signatures on certificates to make sure you're not the subject of a man-in-the-middle attack.)

Re:Encryption is difficult for laypersons. (1)

Yvanhoe (564877) | more than 6 years ago | (#20561019)

Maybe the Tor team should stop saying in their explanation pages that they use encryption. They should do like every company, use a near-English word, "Anonimyzation technology" maybe...
And a little warning in bold letters "Careful ! Tor provides you with anonymity, not secret of the transmission. You should still use encryption to protect your sensitive transfers."

Is it still called a man-in-the middle attack (4, Interesting)

joeflies (529536) | more than 6 years ago | (#20558075)

if you voluntary place the said man in the middle?

Re:Is it still called a man-in-the middle attack (1)

sokoban (142301) | more than 6 years ago | (#20558179)

I don't know. But it's a good idea. Monitor the unencrypted link of some encrypted traffic in order to find out sensitive information. You can kind of assume that Tor traffic will have a greater concentration of interesting stuff going on than regular internet traffic.

Re:Is it still called a man-in-the middle attack (0, Troll)

eknagy (1056622) | more than 6 years ago | (#20558235)

It is called sex. eknagy p.s. You really need to move out from the basement.

Re:Is it still called a man-in-the middle attack (1)

Kjella (173770) | more than 6 years ago | (#20566683)

Yes. I can do a traceroute and know all the Internet hops to a site. But even though I know it's there, if one of those decided to listen in or act as an intermediary it'd be a man-in-the-middle attack. Next question?

Lo dudo (5, Insightful)

Anonymous Coward | more than 6 years ago | (#20558173)

I doubt the users from these governments were using TOR to check their mail. More likely that hackers had already compromised the accounts and were using them to check the email accounts anonymously.

-AC

Re:Lo dudo (1)

fastest fascist (1086001) | more than 6 years ago | (#20559429)

From TFA:
"These governments told their users to use ToR, a software that sends all your traffic through not one but three other servers that you know absolutely nothing about"

Also the article says the compromised organizations were warned about the risks of using Tor without encryption, and the warnings were blown off. That doesn't sound to me like any hackers were behind the Tor usage.

Re:Lo dudo (0)

Anonymous Coward | more than 6 years ago | (#20561903)

Can you quote a government regulation telling their users to use it? Do you honestly think that the author of TFA can? Did he claim that he could? For all the governments and organisations involved? Come on... That sentence clearly was not meant to be taken literally. On top of that, if you would have read T-whole-FA, including the discussion and the author's replies, you would have learned something more.

Why are they using Tor? (1)

MikeRT (947531) | more than 6 years ago | (#20558227)

I would be surprised to find that this is an acceptable policy in most governments. The US government, for example, is pretty restrictive with its systems, and Tor would not be tolerated if you got caught. Sounds to me like the biggest move that needs to be made is reprimanding or firing employees, not policy.

Re:Why are they using Tor? (1)

Znork (31774) | more than 6 years ago | (#20559163)

"I would be surprised to find that this is an acceptable policy in most governments."

I wouldnt. Using Tor would be a very good way to protect various government activities where they dont want anyone to trace sources and destinations. Think infiltrations of web communities, avoiding host-country snooping on various activities, avoiding geographic tracing for field personell, etc.

As TFA noted, it _is_ policy for various governments specific personell. And it probably works very well against the specific threat it was intended to protect against. The problem in this case was that the lack of encryption opened the communications up to another threat instead.

Re:Why are they using Tor? (1)

LWATCDR (28044) | more than 6 years ago | (#20559557)

"avoiding host-country snooping on various activities,"
Why not a VPN using SSH back to the home country and then out from there?

Re:Why are they using Tor? (1)

HTH NE1 (675604) | more than 6 years ago | (#20560075)

E.g. the CIA could have used Tor to hide that it was them making bizarre edits to the Wiki page about the Pope (poss. to communicate secret code messages to undercover agents in the field--spookipedia).

How do you "sniff" w/o being on the wire? (0, Redundant)

Gothmolly (148874) | more than 6 years ago | (#20558311)

And if you're on someone's wire, aren't all security bets off ?

Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.

That's exactly what he did. (4, Insightful)

Valdrax (32670) | more than 6 years ago | (#20559077)

Unless he built his own Tor node, joined the network, then captured his proxied traffic - which is something ANY Tor admin could do, in which case its STILL not particulary insightful, cool, or 31337.

That's exactly what he did. The entire point of him doing so was (he claims) to demonstrate that people using TOR are not protected from anyone reading traffic that comes out the exit nodes if they don't bother to encrypt the traffic they send into TOR.

Re:That's exactly what he did. (1)

turbidostato (878842) | more than 6 years ago | (#20564165)

"people using TOR are not protected from anyone reading traffic that comes out the exit nodes"

In other exciting news:
* influenza vaccina doesn't protect you against AIDS.
* you can get warm water by putting together hot and cold water.

Re:That's exactly what he did. (0)

Anonymous Coward | more than 6 years ago | (#20568575)

* your ISP and the admins of the dozens of computers that transmit your traffic over the internet can read your email and learn your plaintext passwords.

PS: It's Tor, not TOR.

mohd up (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#20558381)

also 3ead, its

No encryption?! (1)

eli867 (300724) | more than 6 years ago | (#20558415)

Unencrypted POP3 logins? Sheesh, even my Grandma uses SSL to check her mail.

This proves securty. (1, Insightful)

rubypossum (693765) | more than 6 years ago | (#20558471)

If governments and embassies are using it then it's likely the system is relatively secure. What's likely to have happened is the Tor code was audited by said government(s) and found to be legit. Then the clueless diplomats were told "Hey, we've setup an anonymous browsing system for you. Browse away." Then the said diplomats go out and start browsing, thinking they're completely secure (i.e. don't need encryption, it's anonymous right?) The rest is history.

I wonder about the intelligence of sniffing Tor exit ports, then mentioning you've found some (unnamed) diplomats browsing with it. I mean, you may feel like James Bond but getting loaded into the back of a van in the middle of the night isn't any fun. Neither is having the skin peeled off your fingers one at a time.

Just saying.

Re:This proves securty. (1)

pegr (46683) | more than 6 years ago | (#20558691)

As long as you kept your mouth shut, how would they know? I mean, it works the way it's supposed to... You could gather all kinds of interesting info and no one would have any reason to know you sniffed it...

In fact, it might be pretty scary seeing what's coming in/ going out a Tor exit node. Think of who might use Tor besides clueless diplomats?

Re:This proves securty. (1)

rubypossum (693765) | more than 6 years ago | (#20559047)

Haha, yeah. Let's just assume that he kept logs of everything coming out the ports. He could be arrested by said government(s) on possession of child pornography. I mean, it's pretty likely he's possessing some.

and? (2, Informative)

tomstdenis (446163) | more than 6 years ago | (#20558933)

I thought it was common knowledge that most exit routes were owned by the very people, people think they need to keep secrets from.

Personally, I'm more afraid of some script kiddie stealing my ID than the man listening to my thoughts ... but then again I grew up in Canada, not Bosnia or whatever :-)

The summaries don't add much? (1)

Trillan (597339) | more than 6 years ago | (#20559189)

The summaries don't add much? Really? How about an explanation of what Tor actually is? Ars explains, Egerstad doesn't.

What? No! Can't be! Impossible! (4, Insightful)

Opportunist (166417) | more than 6 years ago | (#20559255)

Someone who sits between sender and recepient who exchange unencrypted data can sniff it? Impossible! Stunning news!

Which reminds me, /. should implement irony tags.

Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal? I'm kinda glad someone finally points it out and that it affects some high profile target like an embassy so some people (read: politicians and other, similar entities) will actually realize that this is possible and being done, but the answers here scare me almost more.

I mean, here, we're supposedly a hint more educated than Joe Schmoe Average Browser, right? News for Nerds is hardly Weekly World News, I'd say. And still, we got people posting tinfoil crap like "Developed by $three_letter_agency" or "of course it has to have holes, it's from the EFF". WTF? Folks? Get a grip. From the exit node to the server it's as unencrypted as it would be from you to the server if you didn't use TOR. That's neither a flaw, nor an implementation error, nor some CIA/NSA/WTF conspiracy. It's simply the way the net works, if you don't use some kind of SSL encryption between the communication partners!

Sometimes I really wonder...

Re:What? No! Can't be! Impossible! (2, Informative)

Mr. Underbridge (666784) | more than 6 years ago | (#20561037)

Seriously, people. OF COURSE that works! Man in the middle, anyone? Where's the big deal?

I don't think the guy was billing it as some major technical achievement. The news is the sensitivity of the traffic.

Re:What? No! Can't be! Impossible! (1)

Opportunist (166417) | more than 6 years ago | (#20572621)

True. But then, read some comments here. It seems there were actually people who thought this would magically encrypt http traffic.

Re:What? No! Can't be! Impossible! (1)

Alsee (515537) | more than 6 years ago | (#20563041)

/. should implement irony tags.

It does, 'hestavius tempus malarum lipsum' is a Latin phrase meaning 'irony'. If you check the page source you can find the tag and /tag in initialism form, like RSVP.

-

Re:What? No! Can't be! Impossible! (1)

Wizarth (785742) | more than 6 years ago | (#20566745)

You got me. I did a search for html tags, without quite thinking about the acronym as a whole. And as a stinger, you say the whole site is in fact irony! Very well done.

don't blame Tor (1)

m2943 (1140797) | more than 6 years ago | (#20560347)

The problem here is not that people are using Tor, the problem is that many services use unencrypted connections and unencrypted passwords. Tor is merely a convenient way of exposing this, but the problem would exist even without Tor.

So, don't blame Tor, blame service providers that use unencrypted authentication, and blame people using these kinds of services.

Not even new, even when you consider Tor (0)

Anonymous Coward | more than 6 years ago | (#20584715)

I have a blog post regarding this issue here: http://rabbi.vox.com/library/post/the-embassy-password-scandal-new-dog-old-trick.html [vox.com]

Most of the above comments have pointed out that, at its heart, this isn't a Tor issue, but an unencrypted password one. Furthermore, it's not even a new Tor issue -- I wrote a tech report about this in which I expressed concern that naive users might have more to fear from Tor exit node operators than from other surveillance due to the lack of ubiquitous crypto over a year ago (linked from my blog post), and the Tor FAQ explicitly calls attention to this, and has for some time (link also in my blog post.)

In my opinion, the onus is on the administrators of mail and other systems to simply disallow unauthenticated logins. It is ironic that many of the sites publishing this story themselves default to clear-text authentication -- in this day and age, that's sloppy. For an embassy or government agency, that's inexcusable.
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...