On Thu, Feb 21, 2008 at 2:23 AM, Himanshu Chhetri <[EMAIL PROTECTED]> wrote: > Hey Bipin, > That was a good anonymity guide. However is routing traffic > through TOR really secure? You must have heard of the recent incident where > someone ran a "rogue" TOR node and captured the email passwords for many > govt. embassies worldwide. > > -Himanshu
hi dude! That's why i focused on point-to-point encryption between sender and receiver of a digital content in that explanation all the time. Doing so would eliminate the issue you are pointing to completely... ref the line... >Though above technologies are vulnerable to traffic >analysis from observers who can watch both ends of a user's > connection and it has no defend against timing analysis. > To keep things short i had to speak jargon's. I didn't mentioned this important issue in some details, apologies. :) The issue you mentioned because the she architecture of TOR is vulnerable to traffic analysis.The issue exist because though the communication in TOR is encrypted and routed across random nodes but the content is decrypted on the exit node. The person running the exit node (i.e., last proxy in the chain) can sniff the content it is relaying to the destination in decrypted form. It might me difficult for a person in the proxy chain to determine the original source of traffic it is relaying technically but examining the content the examiner can make a logical guess the source of the content. example: even if i use TOR to write an email to mr john from [EMAIL PROTECTED] logging using standard SMTP it will naturally be delivered to the receiving server as i have send it right? Drawback of SMTP protocal, no way to verify data confidentiality and integrity. S/MIME or PGP solves this problem asymmetric key encryption for email (which i'd mentioned early) which the combination of signing the email with SSL certificate (which i didnt mentioned early) Intelligence: Use your self signed certificate instead of trusting Versign or any other certification authority as they can be controlled by government and have to comply local law. Add the self signed certificate on either party manually after verifying the hash of the signature fingerprint as authentic from second means. Diffie-Hellman key exchange protocal, wouldnt be suitable at this time. Therefore, the receiving person sniffing at the exit node can look at the content and the email address, i.e. name and domain (though IP is anonymity one can easily guess the above email is from [EMAIL PROTECTED] embassy, Uk. If a person is controlling large numbers of TOR servers there is high probability that he can find the IP address of original source of the content (but which can again be another proxy ;) Further if you have controlled several exit nodes a anonymous user can be tracked around several exit node in time examining session, cookie and content. But it entirely depends on the situation when you have to choose between whether to route your first connection through private proxy(ssh tunnel) or F2F network or TOR or public anonymous proxy. about the above news... the researcher was running number of exit nodes and sniffing the contents and came across the logins. Some typos in the above email -CR/LF are itself ASCII characters. What i mean in that topic was force the final output of the email/content just limited to just keyboard characters, disable display of all active content. Force plain text. - hide GMT mean... filter out timezone information in the email. This information is added by email client in the email header. Again, this topic is very vast. I know it because i have been researching and writing some private scraps on this topic "Defending privecy in digital world" for about 2.5 years now. I expect it to be my PHD research or a book over 1000 pages if i'll ever finish it.... ;) thanks, -bipin --~--~---------~--~----~------------~-------~--~----~ FOSS Nepal mailing list: foss-nepal@googlegroups.com http://groups.google.com/group/foss-nepal To unsubscribe, e-mail: [EMAIL PROTECTED] Community website: http://www.fossnepal.org/ -~----------~----~----~----~------~----~------~--~---
