Re: TOR is for anonymization; so how to add encryption as well?
> 1) is no one able to decrypt the tor's encryption? As for the node-to-node encryption, you can assume the answer to be "probably not". AES128 is seen to be reasonably secure at the present time, enough so to be used for classified communication channels by the US Government. Does this mean $they probably couldn't brute-force a given key with enough time and/or resources? .. No. > 2) how can i trust the person who runs the tor's exit node? > You can't. Hence the need to use encrypted end-services like SSH, HTTPS, IMAPS, etc. > optional -3) [forgive me if it is too silly] > why people run TOR nodes? is that only to support the community or > other benifits as well? Yes, to support the community and to generally frustrate repressive governments (our own included, since doing so is still within the bounds of the law at the moment). Benefits? If you need a recent real-life example .. during the Iran election protests, people were creating S3/Vmware instances for TOR that allowed access to Twitter, etc. and created an ever-moving target for the authorities over there .. enough so that information continued to leak out to the rest of us. The same is true for China, WikiLeaks, etc. Cheers, Michael Holstein Cleveland State University *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, Dec 27, 2009 at 08:47:49PM +0530, arsha...@gmail.com wrote 4.4K bytes in 132 lines about: : 1) is no one able to decrypt the tor's encryption? Not that we know of. Tor uses ephemeral keys for all encryption exchanges. If your adversary can crack the rsa encryption in under 10 minutes, nothing is going to help you. : 2) how can i trust the person who runs the tor's exit node? You don't. By design, your tor client doesn't trust the tor network. We routinely scan for misbehaving nodes, notify the operators, and/or simply drop them off the network. Otherwise, the vast majority of nodes are run by people like you trying to help others and increase their own anonymity by mixing their tor circuits with others. -- Andrew Lewman The Tor Project pgp 0x31B0974B Website: https://torproject.org/ Blog: https://blog.torproject.org/ Identi.ca: torproject *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR is for anonymization; so how to add encryption as well?
basile wrote: > If you repeat the above, but go to https://www.google.com (note the > http+s), then the above changes in that the clear http is replaced by > encrypted https. Then even the tor exit node admin can't see your traffic. It depends on the location of the exit node. I saw changing the above url to 'http://www.google.fr/' or 'http://www.google.ca/'. No encryption anymore! Only 'https://www.google.com/intl/xx/' ('xx' = country code) seems to be constant regardless of the location of the exit node. So for me 'https://ssl.scroogle.org/' is the better choice. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, 2009-12-27 at 09:27 -0600, Scott Bennett wrote: > On Sun, 27 Dec 2009 20:47:49 +0530 arshad wrote: > >On Sun, 2009-12-27 at 09:58 -0500, basile wrote: > > > >> arshad wrote: > >> > i want the traffic be encrypted as well? > >> > any workarounds? > >> > > >> > thanks. > >> > > >> > *** > >> > To unsubscribe, send an e-mail to majord...@torproject.org with > >> > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > >> > > >> It is encrypted except at the exit unless you use https or imaps or > >> whatever protocol + s. > >> > >> Let me illustrate. Suppose you go to http://www.google.com via > >> privoxy+tor, then you establish a tunnel like this: > >> > >> Tor's encryption-- > >> client -- clear http ->Tor Relay ... > >> Tor's encryption-- > >> > >> This continues until you get to the exit > >> > >> Tor's encryption-- > >> -- clear http -> Tor Exit -- clear http > >> -> > >> Tor's encryption-- > >> > >> So sniffing is impossible except at the exit. The admin at the tor > >> exit should never look at the traffic leaving his/her node. > >> > >> If you repeat the above, but go to https://www.google.com (note the > >> http+s), then the above changes in that the clear http is replaced by > >> encrypted https. Then even the tor exit node admin can't see your traffic. > >> > >> Hope this helps and that my ascii art didn't get wrapped beyond > >> readability. > >> > > > > > >thank you very much for your reply. > >the the ascii art really helped. > >now i have two doubts in this. > >1) is no one able to decrypt the tor's encryption? > >2) how can i trust the person who runs the tor's exit node? > > > >optional -3) [forgive me if it is too silly] > >why people run TOR nodes? is that only to support the community or other > >benifits as well? > > > Please, please, please read the material at the torproject.org web site. > Then read the documentation. The developers have put a lot of time and effort > into writing good documentation for us to read and understand. An awful lot > of the questions you have been flooding our in boxes with, including the > questions in your message above, could have been avoided by your taking *your* > responsibility to read the documentation that has been provided to you. Note > further that the bulk of the documentation was installed onto your own > computer as part of the tor installation. Please read it. > Once you have done your homework, people on this list will be much > happier to address any questions you still have after you do your part. > > > Scott Bennett, Comm. ASMELG, CFIAG > ** > * Internet: bennett at cs.niu.edu * > ** > * "A well regulated and disciplined militia, is at all times a good * > * objection to the introduction of that bane of all free governments * > * -- a standing army." * > *-- Gov. John Hancock, New York Journal, 28 January 1790 * > ** :D thanks for the advice. iv been doing it and i will follow it in hte future also. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, 27 Dec 2009 20:47:49 +0530 arshad wrote: >On Sun, 2009-12-27 at 09:58 -0500, basile wrote: > >> arshad wrote: >> > i want the traffic be encrypted as well? >> > any workarounds? >> > >> > thanks. >> > >> > *** >> > To unsubscribe, send an e-mail to majord...@torproject.org with >> > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ >> > >> It is encrypted except at the exit unless you use https or imaps or >> whatever protocol + s. >> >> Let me illustrate. Suppose you go to http://www.google.com via >> privoxy+tor, then you establish a tunnel like this: >> >> Tor's encryption-- >> client -- clear http ->Tor Relay ... >> Tor's encryption-- >> >> This continues until you get to the exit >> >> Tor's encryption-- >> -- clear http -> Tor Exit -- clear http >> -> >> Tor's encryption-- >> >> So sniffing is impossible except at the exit. The admin at the tor >> exit should never look at the traffic leaving his/her node. >> >> If you repeat the above, but go to https://www.google.com (note the >> http+s), then the above changes in that the clear http is replaced by >> encrypted https. Then even the tor exit node admin can't see your traffic. >> >> Hope this helps and that my ascii art didn't get wrapped beyond readability. >> > > >thank you very much for your reply. >the the ascii art really helped. >now i have two doubts in this. >1) is no one able to decrypt the tor's encryption? >2) how can i trust the person who runs the tor's exit node? > >optional -3) [forgive me if it is too silly] >why people run TOR nodes? is that only to support the community or other >benifits as well? > Please, please, please read the material at the torproject.org web site. Then read the documentation. The developers have put a lot of time and effort into writing good documentation for us to read and understand. An awful lot of the questions you have been flooding our in boxes with, including the questions in your message above, could have been avoided by your taking *your* responsibility to read the documentation that has been provided to you. Note further that the bulk of the documentation was installed onto your own computer as part of the tor installation. Please read it. Once you have done your homework, people on this list will be much happier to address any questions you still have after you do your part. Scott Bennett, Comm. ASMELG, CFIAG ** * Internet: bennett at cs.niu.edu * ** * "A well regulated and disciplined militia, is at all times a good * * objection to the introduction of that bane of all free governments * * -- a standing army." * *-- Gov. John Hancock, New York Journal, 28 January 1790 * ** *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, 2009-12-27 at 09:58 -0500, basile wrote: > arshad wrote: > > i want the traffic be encrypted as well? > > any workarounds? > > > > thanks. > > > > *** > > To unsubscribe, send an e-mail to majord...@torproject.org with > > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > > > It is encrypted except at the exit unless you use https or imaps or > whatever protocol + s. > > Let me illustrate. Suppose you go to http://www.google.com via > privoxy+tor, then you establish a tunnel like this: > > Tor's encryption-- > client -- clear http ->Tor Relay ... > Tor's encryption-- > > This continues until you get to the exit > > Tor's encryption-- > -- clear http -> Tor Exit -- clear http > -> > Tor's encryption-- > > So sniffing is impossible except at the exit. The admin at the tor > exit should never look at the traffic leaving his/her node. > > If you repeat the above, but go to https://www.google.com (note the > http+s), then the above changes in that the clear http is replaced by > encrypted https. Then even the tor exit node admin can't see your traffic. > > Hope this helps and that my ascii art didn't get wrapped beyond readability. > thank you very much for your reply. the the ascii art really helped. now i have two doubts in this. 1) is no one able to decrypt the tor's encryption? 2) how can i trust the person who runs the tor's exit node? optional -3) [forgive me if it is too silly] why people run TOR nodes? is that only to support the community or other benifits as well? thank you very much. best regards.
Re: TOR is for anonymization; so how to add encryption as well?
arshad wrote: > i want the traffic be encrypted as well? > any workarounds? > > thanks. > > *** > To unsubscribe, send an e-mail to majord...@torproject.org with > unsubscribe or-talkin the body. http://archives.seul.org/or/talk/ > It is encrypted except at the exit unless you use https or imaps or whatever protocol + s. Let me illustrate. Suppose you go to http://www.google.com via privoxy+tor, then you establish a tunnel like this: Tor's encryption-- client -- clear http ->Tor Relay ... Tor's encryption-- This continues until you get to the exit Tor's encryption-- -- clear http -> Tor Exit -- clear http -> Tor's encryption-- So sniffing is impossible except at the exit. The admin at the tor exit should never look at the traffic leaving his/her node. If you repeat the above, but go to https://www.google.com (note the http+s), then the above changes in that the clear http is replaced by encrypted https. Then even the tor exit node admin can't see your traffic. Hope this helps and that my ascii art didn't get wrapped beyond readability. -- Anthony G. Basile, Ph.D. Chair of Information Technology D'Youville College Buffalo, NY 14201 USA (716) 829-8197 signature.asc Description: OpenPGP digital signature
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, 2009-12-27 at 17:24 +0530, arshad wrote: > On Sun, 2009-12-27 at 12:48 +0100, Nils Vogels wrote: > > On Sun, Dec 27, 2009 at 12:26, arshad wrote: > > > i want the traffic be encrypted as well? > > > any workarounds? > > > > Traffic within TOR itself is encrypted as part of the anonimization: > > When you are in the cloud, it is almost impossible to make heads or > > tails out of the messages that are being sent. > > > > When the traffic leaves the cloud, it is sent in the same way it was > > entered into the cloud, ie. HTTP will still be HTTP, HTTPS will be > > HTTPS. > > > > If you want your traffic to be both anonymous and encrypted throughout > > the entire path, use an encrypted protocol, such as HTTPS, IMAPS, > > POP3S, etc. > > > > Please, also read http://www.torproject.org/overview.html.en it will > > answer not only this question, but also a few similar questions that > > you might have when first starting to use tor. > > > > Greets, > > > > Nils > > > > > hi, > thanks for your reply. > i mean to avoid this: > > Eavesdropping by exit nodes > In September 2007, Dan Egerstad, a Swedish security consultant, > revealed that by operating and monitoring Tor exit nodes he had > intercepted usernames and passwords for a large number of email > accounts.[17] As Tor does not, and by design cannot, encrypt the > traffic between an exit node and the target server, any exit node is > in a position to capture any traffic passing through it which does not > use end-to-end encryption, e.g. SSL. While this does not inherently > violate the anonymity of the source, it affords added opportunities > for data interception by self-selected third parties, greatly > increasing the risk of exposure of sensitive data by users who are > careless or who mistake Tor's anonymity for security.[18] > http://en.wikipedia.org/wiki/Tor_(anonymity_network) Please read what you yourself posted: > As Tor does not, and by design cannot, encrypt the traffic between an > exit node and the target server It is impossible for Tor to do what you ask. The target server needs to support some kind of encryption. signature.asc Description: This is a digitally signed message part
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, 2009-12-27 at 12:48 +0100, Nils Vogels wrote: > On Sun, Dec 27, 2009 at 12:26, arshad wrote: > > i want the traffic be encrypted as well? > > any workarounds? > > Traffic within TOR itself is encrypted as part of the anonimization: > When you are in the cloud, it is almost impossible to make heads or > tails out of the messages that are being sent. > > When the traffic leaves the cloud, it is sent in the same way it was > entered into the cloud, ie. HTTP will still be HTTP, HTTPS will be > HTTPS. > > If you want your traffic to be both anonymous and encrypted throughout > the entire path, use an encrypted protocol, such as HTTPS, IMAPS, > POP3S, etc. > > Please, also read http://www.torproject.org/overview.html.en it will > answer not only this question, but also a few similar questions that > you might have when first starting to use tor. > > Greets, > > Nils > > hi, thanks for your reply. i mean to avoid this: Eavesdropping by exit nodes In September 2007, Dan Egerstad, a Swedish security consultant, revealed that by operating and monitoring Tor exit nodes he had intercepted usernames and passwords for a large number of email accounts.[17] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. SSL. While this does not inherently violate the anonymity of the source, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[18] http://en.wikipedia.org/wiki/Tor_(anonymity_network)
Re: TOR is for anonymization; so how to add encryption as well?
On Sun, Dec 27, 2009 at 12:26, arshad wrote: > i want the traffic be encrypted as well? > any workarounds? Traffic within TOR itself is encrypted as part of the anonimization: When you are in the cloud, it is almost impossible to make heads or tails out of the messages that are being sent. When the traffic leaves the cloud, it is sent in the same way it was entered into the cloud, ie. HTTP will still be HTTP, HTTPS will be HTTPS. If you want your traffic to be both anonymous and encrypted throughout the entire path, use an encrypted protocol, such as HTTPS, IMAPS, POP3S, etc. Please, also read http://www.torproject.org/overview.html.en it will answer not only this question, but also a few similar questions that you might have when first starting to use tor. Greets, Nils -- Simple guidelines to happiness: Work like you don't need the money, Love like your heart has never been broken and Dance like no one can see you. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/