[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Hints and Tips for Whistleblowers - their comments on Tor and SSL - I don't understand.




Am 27.10.2010 21:04, schrieb Andrew Lewman:
> On Wed, 27 Oct 2010 19:19:02 +0100
> Matthew <pumpkin@xxxxxxxxx> wrote:
> 
>> There is a "Hints and Tips for Whistleblowers Guide" available at 
>> http://ht4w.co.uk/.
> 
> The first problem is the content is actually served up by
> hostingprod.com and not ht4w.co.uk.  
> 
> As far as the content in question, it is dangerously wrong.  

Like the rest of the page in question
(https://p10.secure.hostingprod.com/@spyblog.org.uk/ssl/ht4w/2009/12/open-proxy-servers.html)

"Tor exit nodes do not always allow SSL/TLS encrypted sessions either,
but since these are vital for e-commerce, many do, even behind otherwise
restrictive firewalls and censorware. The Tor system will, after a short
delay, find a reasonably randomly chosen exit node, which does accept
SSL/TLS connection, statistically, this will usually be located outside
of the United Kingdom. "

Uhm? I think every legit exit node allows https.


"Remember that using any SSL/TLS https:// encrypted proxy server
session, or the mostly encrypted Tor proxy cloud, may protect the
contents of your traffic from local snoopers, but if you have to login
or otherwise authenticate to a web server or email system etc., then
those details (including your real IP address) will still probably be
logged by the target server, regardless of the link or session
encryption, and so your whistleblower details may still be exposed, if
that server is physically seized as evidence by the police or is
sneakily compromised by intelligence agencies etc., either through
technical hacking or bugging or by putting pressure on the systems
administrators."

Uhm - well I think it is true that the page I'm logging in to knows my
user credentials, but I don't get the point why they should need to
snoop them from my traffic, as its probably in their database.

Conclusion: I wouldn't trust any of the contents of this page ;)

regards,
Jan

***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/