[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Downloading attachments with Tor - is this secure?



On 6/18/2010 3:06 AM, Matthew wrote:
Apologies in advance for the basic-ness of this question.   I cannot
find the answer with Google or in the Tor documentation.

I believe the answer you're looking for is #4 here: https://www.torproject.org/download.html.en#Warning

In these cases, how is the file downloaded?  Does the download happen
through HTTP/S?  If I am using Polipo and Tor then I assume the file is
downloaded as HTTP/S and goes through the Tor nodes like any "normal"
HTTP/S traffic.

This depends on where you're downloading from. Tor encrypts everything between you, the clients in your circuit, and the exit node. However, when traffic enters or leaves the exit node, it is *exactly* as if the exit node were visiting that website for itself. So, if you are downloading over standard HTTP, *nothing between the website and the exit node will be encrypted*. This usually isn't a terrible problem with downloads that don't contain any personal information that leads back to you, as it would be extremely difficult to follow the encrypted data over several hops through the network.

*However*, as the documentation says repeatedly, use HTTPS wherever possible, *especially* when communicating sensitive information that could lead back to you. This way, the traffic between the exit node and website is encrypted, and doubly so between you and the exit node. Much less will be gained by examining the traffic coming to/from the exit. Hope that answers your questions.

(Side Note: the above does not pertain to .onion websites or other hidden services, which are contained completely within the network.)

~Justin Aplin

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/