My ExcludeNodes list...post yours
Michael Holstein
michael.holstein at csuohio.edu
Fri Aug 18 13:26:48 UTC 2006
> Depending on what constitutes authentication (and encryption). If the
> encryption adds integrity to the authentication (if not there already)
> and prevents an eavesdropper from being able to trivially learn what
> is needed to masquerade as you, then it has value against adversaries
> not sophisticated enough or motivated enough for stream
> hijacking. Good enough for many purposes. But in principle and
> for more sensitive usage your point is well taken, thus worth raising.
You need not stream-hijack .. you can cookie-jack (like in Yahoo's case
.. would give you 24hr access) .. then you look through old mail to see
who else somebody does business with, request password-resets be emailed
to you, and viola! You're in.
If you use TOR 24x7, I'd suggest judicious use of FoxyProxy's rules to
ensure traffic that you'd rather be secure than anonymous just use your
own ISP (why pass a message through 3 strangers when you don't have any
desire to deny you sent it?).
Alternately, you can use FoxyProxy to *only* annonymize some things
(like your Google searches). /. published an article on this a week or
so ago.
~Mike.
More information about the tor-talk
mailing list