Embassy leaks highlight pitfalls of Tor

Found on Security Focus on Monday, 10 September 2007

A Swedish security professional that posted the usernames and passwords for 100 e-mail accounts belonging to various nations' embassies and political parties revealed on Monday that he exploited the improper usage of the Tor network -- a distributed system of computers that anonymizes the source of network traffic -- to collect the information.

In total, Egerstad collected the e-mail credentials of more than 1,500 government workers, corporate employees and private individuals using the Tor network, he said. Because the technique is already known, Egerstad decided that fully disclosing the list of e-mail accounts and passwords for 100 of the government accounts was the best way to bring more attention to the issue.

Following the posting of the information to his Web site, a few countries did respond. India, Iran and Uzbekistan were friendly and supported the manner in which he disclosed the issue, he said. China filed a criminal complaint over the posting, while U.S. authorities complained to his Texas Web provider and had his original Web site taken down, Egerstad said.

He pointed to exit nodes run by hacking groups as potential ways of getting information for identity fraud, while massive nodes located in Washington D.C. and at the Space Research Institute in Russia are possible intelligence gathering tools for the U.S. and Russian governments, respectively.

That's not a bug in Tor per se. The traffic is only encrypted while it's in the onion network, but decrypted as soon it does out to the usual Internet. Tor helps making you anonymous, but it doesn't remove the need for encryption, like SSL for e-mail and websites. It may be easy to blame the technology, but here it's your own fault.

Browse all articles« Previous « » Next »