Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
A month with BadOnions (chloe.re)
49 points by r721 on June 21, 2015 | hide | past | favorite | 10 comments


I see a lot of HN posts about the security of Tor, but as a casual user I don't know what conclusions to draw.

Could someone who knows answer:

Is Tor currently a safe way to communicate securely and anonymously? Or: is it mostly safe, but theoretically insecure if, say, you were being targeted by the NSA? Or: Is it basically unsafe?


An exit node can see traffic between itself and the destination. This is by design; it is unavoidable. The experiment shows that some exit nodes actually are recording that traffic and extracting login credentials from it. There's nothing surprising about it. It's what we've all been suspecting for a long time.

The obvious conclusion is that you should use TLS even when you're connecting via Tor. Tor only gives you anonymity. You still need TLS for confidentiality.


Mostly your second answer. It can be regarded safe against most, if not all, non state level attackers, when used cautiously. If you use Tor Browser and HTTPS and check how identifiable your browser is on https://panopticlick.eff.org/ you should be safe against employers, coffee shops, university administration and so on. At least as long as you don't make a mistake which reveals your identity (email reuse, etc) of course.

It get's a bit more complicated for other services besides web browsing. torsocks works well to send traffic trough tor, but providing anonymity means you have to be really sure that no identity related information is leaked.


Also note that DNS lookups do not go through a SOCKS proxy, which leaves a huge surface of attack and monitoring.


DNS does seem to go through SOCKS to an exit node, which then does the name resolution[1]

Supposedly more attention is to be paid to this in the next major version.

http://tor.stackexchange.com/questions/8/how-does-tor-route-...


Sixteen out of a hundred thousand? That's a lot lower rate than I'd have expected.


>Sixteen out of a hundred thousand?

FTA: there were about 1400 exit nodes each tested about 95 times (that's where the 100,000 number comes from). And in addition to the 16 logins, there were a number of page views without login that seem to also have come from exit nodes.


Interesting find. Could also check for session reuse in case they captured cookies from the original logins.


Holy crap, there are over 100k exit nodes these days ?

I can't believe it.


(*)This number does not show the total amount of uniquely tested exit nodes, just how many fingerprints that was tested. But every node was tested around 95 times(there's around ~1400 exit nodes).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: