"HTTPS and Tor: Working Together to Protect Your Privacy and Security Online"
"HTTPS and Tor: Working Together to Protect
Your Privacy and Security Online"
by Electronic Frontier Foundation
by Electronic Frontier Foundation
"This week EFF released a new version its HTTPS Everywhere extension for the Firefox browser and debuted a beta version of the extension for Chrome. EFF frequently recommends that Internet users who are concerned about protecting their anonymity and security online use HTTPS Everywhere, which encrypts your communications with many websites, in conjunction with Tor, which helps to protect your anonymity online. But the best security comes from being an informed user who understands how these tools work together to protect your privacy against potential eavesdroppers.
Click image for larger size.
Whenever you read your email, or update your Facebook page, or check your bank statement, there are dozens of points at which potential adversaries can intercept your Internet traffic. By using Tor to anonymize your traffic and HTTPS to encrypt it, you gain considerable protection, most notably against eavesdroppers on your wifi network and eavesdroppers on the network between you and the site you are accessing. But these tools have important limitations: your ISP and the website you are visiting still see some identifying information about you, which could be made available to a lawyer with a subpoena or a policeman with a warrant.
Protecting your security and anonymity against real-time government wiretapping is considerably more difficult. In a country where ISPs are controlled by the government or vulnerable to government bullying, Internet users should be especially aware of what kinds of information is still visible to ISPs and may be subject to government surveillance. To a lesser degree, websites may be subject to the same kinds of government bullying and may be compelled to give up information about their customers.
Finally, government agencies with particularly vast resources, such as the NSA, may be able to circumvent the protection provided by Tor through what is known as the "Global Network Adversary" attack. If the Global Network Adversary (GNA) controls the relay through which you enter the Tor network and the relay through which you exit, the GNA can correlate the size and timing of your traffic to identify you on the Tor network. In this scenario, the GNA will have the origin and destination of your traffic, but if you are using HTTPS, they will not be able to read the content. You can help combat the GNA by running a Tor relay, adding to the strength and diversity of the Tor network.
EFF has put together an interactive graphic to explain the ways in which HTTPS and Tor work together to provide you with certain kinds of protection against a variety of potential adversaries."
․
"Tor Is Not Secure"
By Foxxy
"HTTPS is a better bet for security than no encryption, but Tor is not a better bet than nothing. The biggest problem is that anyone can run a Tor node (and since Tor nodes are trusted with however much network capacity they state they have and, thus, how much traffic they get, anyone can choose how much traffic they get as a Tor node, especially if they're running multiple nodes), effectively choose how much Tor traffic they get, and then sniff traffic as it goes through, including running "Man in the Middle" (MitM) attacks against HTTPS (SSL/TLS encryption). These attacks aren't theoretical. They're also easy to perform if you have a lot of resources, like one of the alphabet soup agencies. With all the known flaws of Tor and the EFF (as far as I know) not having addressed them with new releases or new software altogether, for them to be recommending using it I have to wonder if they have serious blinders on or don't have their users' best interests at heart (my money's on the latter...).
• Article on a security researcher sniffing data after running a few Tor exit nodes and what he got.
• Article about using BEAST (the Browser Exploit Against SSL/TLS Tool), which actually breaks SSL 3.0 and TLS 1.0 encrypted sessions, not just bypasses them (TLS 2.0 is secure, but not deployed or adopted anywhere yet).
• Article about sidestepping SSL (author is really using SSLstrip, not SLLstrip).
• How Tor can leak data to a malicious end router.
• More evidence of Tor exit node performing man in the middle attacks.
• Source discussion of the above evidence."
- http://www.sott.net/
0 Response to ""HTTPS and Tor: Working Together to Protect Your Privacy and Security Online""
Post a Comment