[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Email provider for privacy-minded folk

Seems like there's a bit of confusion regarding what a bad exit node can
and can't do here.

For many sites, you can trivially strip the SSL connection request as
the exit node, downgrading it to vulnerable plaintext just by using
ssl-strip.  There'd be no cert warning, but smart users will notice the
connection is http instead of https.

Gmail is not one of those sites.  Gmail forces HSTS, so he couldn't
ignore the certificate warning even if he wanted to because the HSTS req
is pinned in the browser itself (with any reasonably modern browser) and
if you've EVER securely visited gmail, an HSTS token indicating the
proper cert for the site is set that should prevent MITM "replacement
cert" attacks.  Bottom line: an exit node simply can't SSL-strip an HSTS
site, and MITM is practically impossible, because you must catch the
very first connection on an empty browser store.

That said, it's still basically effortless for an exit node to exploit
it clients by injecting fingerprint-based iframe-style attacks into
whatever lowsec http pages you've requested, which gives abu al-badguy,
as an inherent consequence of his fresh root, access to the plaintext of
your https connections.  Basically, trojaning your box and snagging your
un/pw fields clientside is much more reliable for HSTS sites.

Torproject doesn't currently do very much to detect this kind of attack
(imo they should at least have an agent automatically comparing
known-good site requests with what they actually receive from each exit
and flagging unusual variations), and the "bad exit" vector is unlikely
to go away soon.  In fairness, there are only so many devs, and most of
them pooh-pooh realistic (paranoid) threat models.

On 2/19/2013 5:41 AM, Joe Btfsplk wrote:
> On 2/19/2013 2:11 AM, adrelanos wrote:
>> scarp:
>>>> On 2/18/2013 9:01 PM, Mysterious Flyer wrote:
>>>>> Ummmmm.  I am the REAL mysteriousflyer@xxxxxxxxxx  I guess it's
>>>>> super-duper easy for a person's user names and passwords to get
>>>>> hacked when accessing e-mail over Tor.  I also noticed that
>>>>> someone has been reading my gmails (since they were marked as
>>>>> read), so I changed my password over there and will never access
>>>>> gmail through Tor again. Someone ALSO made a copy of my debit
>>>>> card and tried to use it in another state, but that may be
>>>>> coincidence.  Does anyone have any knowledge as to HOW a hacker
>>>>> may get this information?  Is it through an exit server?  I
>>>>> certainly never made any online purchases through Tor.
>> Or he just ignored the SSL warning like so many people do.
> All the replies make good points.  Question - how do we know which is
> the real Mysteriousflyer, or if there are even 2?
> The latest one hasn't responded how or w/ what he was accessing his
> Gmail acct.  Sometimes from public wifi?  There are too many unanswered
> questions & variables.
> Has he checked for key loggers or trojans, that could capture his PW? 
> One simple way hackers get a PW.
> He didn't answer if always used encrypted connection to Gmail, or - as
> mentioned - if ever got a security warning & ignored it. Don't know
> about Gmail, but some providers still allow clients to use unencrypted
> connections.
> If uses a laptop / phone, has he ever left it alone, while logged into
> Gmail, or PWs are unsecured?  If uses an email client, are stored login
> / SMTP PWs secured w/ reasonably strong PW, or are they stored
> unprotected?  Many other factors.
> _______________________________________________
> tor-talk mailing list
> tor-talk@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

tor-talk mailing list