Other Software > Found Deals and Discounts

Tor - The Onion Router

<< < (2/3) > >>

Lashiec:
Yes, it's possible, but not very probable.

I would be very wary of using Tor if you are sending sensitive data, anyway, some exit nodes are operated by questionable organizations or countries... I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.

(Oh man, another link to Ars Technica, it's like I work there ;D)

Darwin:
I *think* Ghost Surf encrypts your data before sending it... but then, it's a shareware solution. I actually used it extensively circa 2005 but stopped using it circa 2005 because I don't really feel that I need the level of security that it provides.

f0dder:
Yes, it's possible, but not very probable.
-Lashiec (November 04, 2007, 06:08 PM)
--- End quote ---
That's "just" the identify where the traffic is from attack, which is of course bad enough. I thought I heard it having been used in the wild, but can't find the reference... I was probably just thinking about the theoretical attack.

I would be very wary of using Tor if you are sending sensitive data, anyway, some exit nodes are operated by questionable organizations or countries... I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.
-Lashiec (November 04, 2007, 06:08 PM)
--- End quote ---
TOR does it's own encryption, but obviously this can be decrypted, since the exit nodes need to send something the final destionation host (outside the TOR network) can understand. So if your data is traveling through a TOR node operated by somebody with malicious intents, won't they be able to see your data stream?

Of course you can use your own encryption before going through the TOR network, but anything that's attackable with a man-in-the-middle approach will be vulnerable, since the TOR network is effectively a whole lot of middle men.

I'm not sure how often TOR's routing changes, though... if it did often enough (ie, multiple times even for the same connection) it would be a lot harder to do attacks. But my guess is that once a stable/fast route is found, it'll prefer that route.

I suppose maybe you could encrypt your traffic before it's sent, but I don't know if such thing would be feasible.
-Lashiec
--- End quote ---
HTTPS (but...), PGP encrypted emails, password-protected RAR archives, etc...

Lashiec:
It's a good question. Traffic between nodes goes encrypted, but I suppose it has to be decrypted to perform another exchange of different keys with the next node in the path, so I guess during that moment you could see the data using appropriate tools.

It's a fact that exit nodes are capable of viewing your traffic, though. And people are also capable of viewing its traffic, just like it happened to this German guy who went to jail because his exit node was being used by a child pornographer. It was suggested that Russian and Chinese governments are operating a group of nodes in the Tor network. Now, if I could find the source...

About the encryption thing, I was asking if it's possible to encrypt any kind of traffic you send to other computers, but of course, those other computers should be able to decrypt your traffic as well, I mean, negotiation of keys is needed. Am I correct?

f0dder:
About the encryption thing, I was asking if it's possible to encrypt any kind of traffic you send to other computers, but of course, those other computers should be able to decrypt your traffic as well, I mean, negotiation of keys is needed. Am I correct?
-Lashiec (November 05, 2007, 02:00 PM)
--- End quote ---
First of all, the applications need to either be aware of the encryption (ie., it's done at the application protocol level), or you can tunnel/encapsulate the application traffic (ie., instead of connection to the other host, you connect to a port at localhost, which has an encrypted tunnel to the real host).

If you use an automatic (transparent) encryption (or rather, keyexchange) scheme, you're vulnerable to man-in-middle attacks. Under normal circumstances, when your data is only traveling through normal routers and not something like TOR, and you're not doing anything that attracts government attention :P, I wouldn't worry too much.

Alternatively, you could use known-passphrase encryption (same passphrase used at both ends), but that's a hell wrt. key exchange. Or you could use public-key encryption, which is somewhat better, but you still need either central key authorities or a web of trust...

Navigation

[0] Message Index

[#] Next page

[*] Previous page