General

Online Idiocy Kills

By Tim Hardy

Tor makes use of a network of volunteers across the world to smuggle information across borders

Steven Sumpter has written an excellent introductory guide to why you should run Tor and has not shied from explaining some of the minor risks inherent in doing so.

Tor enables people in repressive regimes to access more of the internet than their nations’ censors allow them. There is one risk for users of Tor not covered in the article, however, that I want to highlight. Since anyone can run a Tor node, what is to stop the bad guys from doing so?

In practice this happens a lot and these are known as hostile exit nodes.

Karen Reilly at the Tor project pointed me to a post on their blog that covers this danger.

Tor provides anonymity and privacy by hiding where your Internet traffic is going and where it came from, but users must protect the security of their traffic by using encryption. Once you exit the last relay, you are back on the open Internet.

It is fairly technical so I will explain using an analogy.

Think of an old-fashioned postal service.

If you write a postcard to someone, anybody who handles your mail can read what you have written. If you put that postcard in an envelope someone has to tamper with your mail to know what you are saying. In oppressive regimes, the government have no qualms about opening your private correspondence. In imperfect democracies like that of the UK, the press steam over your virtual mail, the police look the other way and the editor of the newspaper responsible is rewarded with the full confidence of and a salary greater than the Prime Minister. As is so often the case, authoritarian regimes have a lot to learn about methods of control from societies that espouse the values of freedom and democracy.

If you send a letter through Tor, the service will help you. If you send a postcard, you are opening yourself up to danger.

So how do you know when your communications online are letters and when they are postcards?

With the web, it is fairly easy. Safe urls begin with https:// and most modern browsers will highlight the fact that you’re on a secure connection by, for example, colouring the address bar green.

With banking we are learning to be cautious. With social media, less so.

Access twitter over an unsafe connection in a web cafe in the UK and a benevolent geek might hijack your session and send a tweet out from your account containing a link to a url explaining what has just happened.

Idiocy watches for people visiting Twitter insecurely, hijacks the session and posts a tweet warning them that they are vulnerable.

In somewhere like the UK this has the potential to cause a few red faces. Elsewhere in the world, it could cost you your life.

Tor will not protect you from this kind of attack if your message is routed through a hostile exit node. Always look at the advanced options for any web service you use, be that wordpress or email or another, and enable a secure connection. If there is no option to do so, assume anyone can read your messages and trace them back to you. Secure connections may be slightly slower but online idiocy kills.

Standard

8 thoughts on “Online Idiocy Kills

  1. Latentexistence says:

    I am embarrassed to have missed this aspect!

    I was trying to keep the word count down though. It’s already 1,000 words.

  2. Don’t worry! You can’t cover every aspect in one post and your focus was more on why people should run nodes so this wouldn’t really fit in. Thanks again for writing an excellent guide to Tor.

  3. Pingback: Links 15/2/2011: Mageia’s First Alpha Released, Mandriva Hiring, New Linux Mint 10 RCs | Techrights

  4. “authoritarian regimes have a lot to learn about methods of control from societies that espouse the values of freedom and democracy.”

    An excellent point, that can’t be emphasised enough – urban planning, policing, mainstream media, the manufacture of national ’emergencies’ from wars to deficits. The list is (almost) endless. Indeed, industries teaching these methods to developing nations have seen a boom over the past decade or so.

  5. Pingback: Why You Should be Very Scared of Snoopers’ Charter « beyondclicktivism

  6. John says:

    If you use TOR into a VPN then the exit node is not naked but encrypted while going off to the VPN.

    Also, remember that any cert based https connections are also not automatically safe as the cert auth system is vulnerable to any group with a huge amount of resources to throw at subverting ‘trust’ such as govs and large organised crime. Certs and authorities can and have been undermined many times.

    https does not mean trusted for sure unless the issuing authority was someone you could actually know (which was the original design). I don’t understand why there has not been a scandal about https being corp marketing hype not real security. The cert auth ‘trust’ hierarchies are a human system so easily subverted over the long run and pretty much all of it has been now. Do you personally know the people who issued the certficates you use (which is how it was designed for small scale use of actually ‘trusted’ people)? Of course not.

Comments are closed.