is tor making the web a safer place? obviously yes, because your ipadress is camouflaged. but you give yourself into a much bigger danger: already two yers ago [1], a hacker got into know of a lot of sensible information just because other people used tor. in fact these were informations of embassies. how did it work: easyly, tor is distinguishing between regular and exit nodes. exit nodes bring the traffic back from the tor network into the regular net. when you don’t use any encryption layer; all data is unencrypted at the exit node (between the nodes, there is some encryption). here is the clou: just add your own tor exit node and wait for something unencrypted and scan it for passwords. it gets even worser: if you are some rude government organisation and want to scan for some users; then just add a tor-exit node and wait at least for some (known) target ips. no matter if the communication is encrypted or not, you get to know who (ip-adress) wants to communicate with someone you want to spy and this who wants even to hide this.
why do i write this? i just heared from someone, who is using tor to scan the web for political extrem content, mostly in forums and do not want to spread his ip adress on his way. but does he gain more security? most internet bulletin boards are still not encrypted, so he’ll leave it’s login data at the tor exit node. but even if they would be encrypted, he will loose privacy because by using tor to access it he will show the owner of the exit node, that he wants to be private. there is also another problem; a tor exit node can could make it possible to run a man-in-the-middle attack, at least against forums with weak ssl certificates (or if you have the possibility, to sign your own, e.g. the state).
Update
of course you cannot determine the source ip-adress in tor; this was a mistake by me last night. but what works is the middle-man-attack from the last node; this could be done by every exit node who has the possibility to sign encryption certificates with browsers-accepted CAs. this is possible for governments. one possible solution would be that you stop communication if your browser shows a altered certificate message or when you double check the certificate with tor and without tor. if it’s the same you are on the same side.
The last week did not brought too much goodness for any techie interested in free thoughts. Pirate Bay was judged by a swedish court for a crime they did not commit, at least in the general techie opinion “it is not illegal to know someone who do something illegal and to tell you this”. Of course you can easily automate this knowledge and say “ok; tell me who has file XYZ, and I will tell others who has XYZ”. It’s basically the same what each search engine does. In fact you could even replace a regular torrent tracker by a search engine:
There are millions of websites where you can add content. Imagine a tag to describe tracker-like content, e.g. ABC (in practice it shall be more complex). So if you wan’t to share your new music track “mysong1.mp3″ just post “ABC mysong1.mp3 [filesize] [ipadress of seed1]). And everyone could find it using google (“ABC mysong1.mp3″). In fact, when you don’t use special websites but grab unprotected ones then you find this a common spammers tactics, but hey, you don’t want to to it? Or?
Maybe even germanys chief of censership minister of family affairs does realize that it isn’t so easy to censor the web; you just make a lot of damage to the right of public speech.
the kills – what new york used to be
