We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
The Forum now has a brand new text editor, adding a bunch of handy features to use when creating posts. Read more in our how-to guide
Making an IP hidden/anonymous surfing
Comments
-
Tried to odd one found on google but found them more hassle than they are worth.
Found this though that looks interesting:-
http://www.unwiredshow.tv/2007/12/10/31-using-the-onion-router-network/0 -
tor is your friend0
-
tor is your friend
The arrested Swedish guy, Dan Egerstad, that I mentioned earlier? He got his hands on usernames and passwords by... running some Tor servers!
Are you ~sure~ Tor is your friend?
Story is here:
http://www.smh.com.au/news/security/the-hack-of-the-year/2007/11/12/1194766589522.html0 -
nothing wrong with tor, he hacked embassy traffic.0
-
Ok, maybe I misunderstood the story.
I thought that he ran five Tor nodes which people used at random - because that's how Tor works. He sniffed anything that might be interesting (probably by logging the first part of each new SSL session where people are likely to be signing on to a system?), and some of that happened to be logins by diplomatic staff. I don't think there's any evidence that he ~targetted~ embassy staff, and I can't see how he would achieve that.
As he was (apparently) doing what he did for academic purposes, he probably ignored all of the boring online banking logins that he also sniffed in the process, but someone less scrupulous might not have done.
But I guess I just misunderstood the story!
(edit: actually I can't think why anyone would use Tor to login to their online banking, but they might be using it for other "interesting" things which could involve Credit Card info, ect.)0 -
The point is that he didn’t ‘hack’ anything. Traffic within the Tor network is encrypted by the Tor program. When it reaches the edge of the Tor network, the traffic looks just as if it had come directly from your own computer, without the Tor network in between, but coming from a different IP address. So, if what you’re sending isn’t encrypted, the last computer in the Tor chain will see just that – unencrypted traffic. This is no different to normal unencrypted traffic passing through the many hardware routers between you and your web or email server of choice.nothing wrong with tor, he hacked embassy traffic.
If you use SSL, the data is encrypted and authenticated end-to-end. You can’t proxy HTTPS, in the normal use of the word proxy. With a proxy server, the server makes the request on your behalf. If your request is encrypted using HTTPS, the most the server can know is the destination IP address. It can’t be a proxy and make the request on your behalf, because it doesn’t know what the request is. All any proxy server could do would be to forward the packets with their contents unchanged. This would be no different to the forwarding performed by, say, a home broadband router.
It is possible to carry out an SSL man-in-the-middle attack, but you can’t do it by passive observation. You would have to take control of the network. SSL uses a certificate from the server to guarantee the server belongs to who it says it is. This is done by checking the server’s domain name (DNS) address against the certificate. If you take control of a DNS server, you have the potential to redirect traffic to your own server, but with certificates appearing to be correct.
You also have to be aware if you’re using software that’s not a normal web browser. For example, the Opera Mini client relies on an Opera proxy to re-compress and reformat web pages. Therefore, it won’t allow you to make an end-to-end secure connection.古池や蛙飛込む水の音0 -
Sorry Alfie, but I think you are wrong.
You can't "insert" a server into the middle of an SSL session and make it work. You have to terminate the session on the proxy and establish another on the far side. That's why the "man in the middle" attack on Tor is hard to counter if you can't trust the person that runs the Tor server.
But that's just my opinion. I might be wrong myself... Honestly, I have no axe to grind here - just reporting what others (e.g. Bruce Schneier) have identified as a security issue.0 -
I never said you could. I said it was possible to misdirect, if you gained control of the DNS server; you get to choose any server you like to receive the secure connection, then start a new secure connection to the true destination. I do stand slightly corrected. An explicit HTTPS proxy will see what’s being transferred. However, Tor doesn’t act as a HTTPS proxy, it simply routes packets about. The encryption within the Tor network is in addition to any used by the two end parties. If you put plain text into Tor, plain text comes out and the exit node can read it. If you put encrypted (HTTPS) text into Tor, encrypted (HTTPS) text comes out. The Tor exit node will not be able to decrypt it, only the destination web server will be able to do that.You can't "insert" a server into the middle of an SSL session and make it work.古池や蛙飛込む水の音0 -
good points well made, I'll get me hat0
-
Fair enough Alfie - I guess there's only one person on this thread that understands how Tor works, and it's not me!
Out of pure anorak interest I'll keep an eye on the story, as I don't think anyone has yet publicly explained how Egerstad did his Tor crack.0
This discussion has been closed.
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 353.6K Banking & Borrowing
- 254.2K Reduce Debt & Boost Income
- 455.1K Spending & Discounts
- 246.7K Work, Benefits & Business
- 603.2K Mortgages, Homes & Bills
- 178.1K Life & Family
- 260.8K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards