Re: How do we defeat exit node sniffing?

["Kyle Williams" <kyle.kwilliams@xxxxxxxxx>]

It also depends on what you are using Tor for.

If you are checking your e-mail (or whatever) that is associated with your real identity, then use only HTTPS.
But if you are checking a different e-mail account that you have (1) setup over Tor and (2) only use for anonymous purposes, then you run a very small risk of being associated with the activity of that account.

Remember, just because your traffic is anonymous doesn't mean it's private.  So if you say "This is John Smith and my SSN is xxx-xx-xxxx" or whatever over an anonymous connection to a blog or forum, then you are asking for trouble.  You have to be in control of your privacy.  

- Kyle

On Thu, Jun 5, 2008 at 7:20 PM, defcon <defconoii@xxxxxxxxx> wrote:

for http connections im worried about cookie sidejacking as well since some sites only authenticate via https and set a cookie, what can we do in this regard?

On Thu, Jun 5, 2008 at 7:08 PM, Xizhi Zhu <xizhi.zhu@xxxxxxxxx> wrote:

you have to try to do the authentication with SSL/TLS. if not, your username and your password will be sent to the exit nodes first, and that's really terrible!

2008/6/6, defcon <defconoii@xxxxxxxxx>:

so what do you all suggest if I must authenticate to a non ssl connection?  How do I do it anonymously and safely?

On Thu, Jun 5, 2008 at 5:37 PM, Christopher Davis <loafier@xxxxxxxxx> wrote:

On Thu, Jun 05, 2008 at 05:01:34PM -0700, defcon wrote:
> What are some good ways to defeat exit node sniffing?  Is there a listing of
> good exit nodes that do not sniff?
> Thanks,
> defcon

 

Prefer TLS-enabled services, and mind the authenticity of server certs.
Or use Tor hidden services.

--
Christopher Davis

--
Use Tor to secure your surfing trace:
http://www.torproject.org/

My blog: http://xizhizhu.blogspot.com/