[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] When to use and not to use tor.

On 6/12/2011 1:22 AM, Seth David Schoen wrote:

Your communication with an online banking site usually _would_ be
encrypted with HTTPS, which would encrypt your login password.  For
instance, if you were banking with Bank of America, you would normally
start your login process at

You are correct Seth. I misspoke when I said login info on an encrypted site would not be encrypted - it would be.

I'm not sure of the answers to questions I'm posing - but they are good questions. Note, there are significant differences of the cipher strength of encryption used on different HTTPS site - even financial institutions. How hard would it be for a exit node operator to crack your (captured) encrypted PW? Depends. If a Tor exit node can capture a packet (and they can), what prevents them from using sophisticated software, available to any 14 yr old, to try & crack the encryption? They do know the packet was headed to SomeBank.com.

If Fernan's goal is anonymous online banking, I guess he'll need to use some proxy. What does anonymous banking mean - not wanting your ISP to know which bank sites you use (even if they can't see encrypted data)? Once logged in, the bank pretty much knows it's you.

Just a thought - what if one logged directly into their bank's encrypted site - using no proxy & their site was hacked (their site, not your computer). Or something goes wrong using a 3rd party of any kind to log into bank's site, and you tell them / they find out, "I was using Tor (or other) to login & the 3rd party intercepted my info."

In which case is the bank likely to be more sympathetic? I don't know that using Tor or other proxies enhance security of logging into secure sites at all. AFAIK, Tor is intended to increase anonymity, not security. There are regularly many, many new posts & articles about ongoing experiments on capturing & evaluating Tor traffic (and I'm sure other proxies). What was impossible yesterday is often common tomorrow.
But if you're using webmail, you could use HTTPS to connect to the
webmail operator over Tor, thereby protecting your e-mail from the
exit node operator.
HTTPS would protect it from an exit node, but not from from the email provider or from gov'ts of most technologically developed countries. If you want to be sure others besides the recipient aren't reading your email, use encryption. Even then, unless you're sure what the recipient will do w/ it, or their level of computer security, don't send anything in email you might not want others to read.

tor-talk mailing list