Seems like there's a bit of confusion regarding what a bad exit node can and can't do here.
For many sites, you can trivially strip the SSL connection request as the exit node, downgrading it to vulnerable plaintext just by using ssl-strip. There'd be no cert warning, but smart users will notice the connection is http instead of https. Gmail is not one of those sites. Gmail forces HSTS, so he couldn't ignore the certificate warning even if he wanted to because the HSTS req is pinned in the browser itself (with any reasonably modern browser) and if you've EVER securely visited gmail, an HSTS token indicating the proper cert for the site is set that should prevent MITM "replacement cert" attacks. Bottom line: an exit node simply can't SSL-strip an HSTS site, and MITM is practically impossible, because you must catch the very first connection on an empty browser store. That said, it's still basically effortless for an exit node to exploit it clients by injecting fingerprint-based iframe-style attacks into whatever lowsec http pages you've requested, which gives abu al-badguy, as an inherent consequence of his fresh root, access to the plaintext of your https connections. Basically, trojaning your box and snagging your un/pw fields clientside is much more reliable for HSTS sites. Torproject doesn't currently do very much to detect this kind of attack (imo they should at least have an agent automatically comparing known-good site requests with what they actually receive from each exit and flagging unusual variations), and the "bad exit" vector is unlikely to go away soon. In fairness, there are only so many devs, and most of them pooh-pooh realistic (paranoid) threat models. On 2/19/2013 5:41 AM, Joe Btfsplk wrote: > On 2/19/2013 2:11 AM, adrelanos wrote: >> scarp: >> >>>> On 2/18/2013 9:01 PM, Mysterious Flyer wrote: >>>>> Ummmmm. I am the REAL mysteriousfl...@yahoo.com. I guess it's >>>>> super-duper easy for a person's user names and passwords to get >>>>> hacked when accessing e-mail over Tor. I also noticed that >>>>> someone has been reading my gmails (since they were marked as >>>>> read), so I changed my password over there and will never access >>>>> gmail through Tor again. Someone ALSO made a copy of my debit >>>>> card and tried to use it in another state, but that may be >>>>> coincidence. Does anyone have any knowledge as to HOW a hacker >>>>> may get this information? Is it through an exit server? I >>>>> certainly never made any online purchases through Tor. >>>>> >>>>> >>>>> >>>>> >>>>> >> Or he just ignored the SSL warning like so many people do. >> > All the replies make good points. Question - how do we know which is > the real Mysteriousflyer, or if there are even 2? > The latest one hasn't responded how or w/ what he was accessing his > Gmail acct. Sometimes from public wifi? There are too many unanswered > questions & variables. > Has he checked for key loggers or trojans, that could capture his PW? > One simple way hackers get a PW. > > He didn't answer if always used encrypted connection to Gmail, or - as > mentioned - if ever got a security warning & ignored it. Don't know > about Gmail, but some providers still allow clients to use unencrypted > connections. > If uses a laptop / phone, has he ever left it alone, while logged into > Gmail, or PWs are unsecured? If uses an email client, are stored login > / SMTP PWs secured w/ reasonably strong PW, or are they stored > unprotected? Many other factors. > _______________________________________________ > tor-talk mailing list > tor-talk@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk