[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: How do we defeat exit node sniffing?

To: or-talk@xxxxxxxxxxxxx
Subject: Re: How do we defeat exit node sniffing?
From: "F. Fox" <kitsune.or@xxxxxxxxx>
Date: Mon, 09 Jun 2008 18:35:24 -0700
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Mon, 09 Jun 2008 21:35:36 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=z4/XMnq6upJo1+15vSM3Z/5+yPT5/o95TCF3QOhhsz8=; b=wO+SHb2sh/aFZCAw4TT7LZMo+KxFnOijEo3RJuRj9yuckjwBIk0qIv9tycqNfPB+LG xuo/opoKMWb3SHe7yr2pLOwL0+QT97S9SlA2CvOSVsQLUupFrxVQN1SUNciZqwR50FkG 3lPLEzsZ1A87HXUoqhgkIGgvnUQfbMQ3sJjLk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=v/LcU6tKrbhrePSPHXztcyig7VsR2OxsZC9GbFtoddcrG9GFiQDpqwaD2Fiv5q033y hUiOpqOHJkxB8BtGo+KLcOsf4qtU5v6Uy0fpRnk5OhTKhYpNGULCIVdp2/NeJ5wiJ+Sw P1pzrDunzFQPAw8WK0VpUlTViamFlwXSCqyrs=
In-reply-to: <a45400c30806051835u75d46afcs1acd73ed1b3f33@xxxxxxxxxxxxxx>
References: <a45400c30806051701m64da2e78vff227bab84d1ee73@xxxxxxxxxxxxxx> <20080606003753.GA35400@xxxxxxxxxxxxxxx> <a45400c30806051835u75d46afcs1acd73ed1b3f33@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Mozilla-Thunderbird 2.0.0.14 (X11/20080509)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

defcon wrote:
> so what do you all suggest if I must authenticate to a non ssl
> connection?  How do I do it anonymously and safely?
> 
(snip)

AFAIK, you can't.

However, there are three personal rules I stick to, when using accounts
which need a login through Tor. They may or may not apply to your scenario:

1.) Any account used for anonymity, must be created through Tor, and
never have been touched without it.

2.) Any such account must, of course, always be accessed through Tor
after its creation.

3.) Any such account must be considered expendable; i.e., if an exit
sniffer stole the credentials and either locked you out or impersonated
you, it wouldn't be a real problem.

If you'd rather not have to follow Rule 3, make sure you use accounts
with services that use strong encryption - and watch out for accidental
leaks*.

*: Supposedly, Gmail's Web interface sometimes leaks, even when using it
under HTTPS. To minimize such leaks, it's important to switch on POP or
IMAP ASAP, and use a client with it with SSL/TLS enabled.

- --
F. Fox
AAS, CompTIA A+/Network+/Security+
Owner of Tor node "kitsune"
http://fenrisfox.livejournal.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBSE3aW+j8TXmm2ggwAQgmRhAAjClll0d+dTaRWupAeLgqgyqxnH0RvQrc
GdBY1JQKoNewuaJpkEWzqaTK8fGRRbni09eJDleKfpfy/HREav9qlrCXDTK2Bkmx
37WiMo87R5ALm44WBsJ+9O7dCbKifo4haLB7ieNxZjJPI2yiZdPaVIQOG92rnWSh
lRO/PsZ83vm08HwJFdkwpQcCis1zjmDsMCzPBj4vkxpl0MzzSinzpgwbueJPK9g2
IJwcuDJh+3UBxDN3NVcWOJucXZ/6cGHUkG5ZTit6BL7jJO2nTIEI6hEnmO+eJQvp
Pn/kmsiv+XyWNph62jabYZ2BBafJ+nwrbvF+DmiX181BIGH2+SjN7m1/VDmRgoEb
T2OT8pXcHL86GppcNHTMKPvxzPJ09u9FCTfgRiW7rY/5loJJiLhXZtQ893hDTWG1
tkeBaSgyxc+EsVuI3z7fb8onX8hA5CltPpBPhlnzFcbViqdiImiqZ3ug6F/8cpsP
kbpB6coF8zwStXKhjfX3+1MPOUs5zIZve5rOZG+h4YBU20MD2W+UUdZ6ZBjA69EB
woo8PvpXcd+PDWeOdL7ddCt7K0i8F11XZZjfGx2D5g5gLVPHZjiRAlYAWC4S91eC
LsbQuOyIYqV4HKsbQVJxa+gJF+V+pOelrIyWzbe2TRu13plfsSNaKvFAP2oblmE4
ScX+T/z+YLo=
=kf6+
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: How do we defeat exit node sniffing?
  - From: Jack Straw

References:
- How do we defeat exit node sniffing?
  - From: defcon
- Re: How do we defeat exit node sniffing?
  - From: Christopher Davis
- Re: How do we defeat exit node sniffing?
  - From: defcon

Prev by Author: Re: Torbutton 1.2.0rc1 released
Next by Author: Re: How do we defeat exit node sniffing?
Previous by thread: Re: How do we defeat exit node sniffing?
Next by thread: Re: How do we defeat exit node sniffing?
Index(es):
- Author
- Thread