It also depends on what you are using Tor for.<br><br>If you are checking your e-mail (or whatever) that is associated with your real identity, then use only HTTPS.<br>But if you are checking a different e-mail account that you have (1) setup over Tor and (2) only use for anonymous purposes, then you run a very small risk of being associated with the activity of that account.<br>
<br>Remember, just because your traffic is anonymous doesn't mean it's private. So if you say "This is John Smith and my SSN is xxx-xx-xxxx" or whatever over an anonymous connection to a blog or forum, then you are asking for trouble. You have to be in control of your privacy. <br>
<br>- Kyle<br><br><div class="gmail_quote">On Thu, Jun 5, 2008 at 7:20 PM, defcon <<a href="mailto:defconoii@gmail.com">defconoii@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
for http connections im worried about cookie sidejacking as well since some sites only authenticate via https and set a cookie, what can we do in this regard?<div><div></div><div class="Wj3C7c"><br><br><div class="gmail_quote">
On Thu, Jun 5, 2008 at 7:08 PM, Xizhi Zhu <<a href="mailto:xizhi.zhu@gmail.com" target="_blank">xizhi.zhu@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">you have to try to do the authentication with SSL/TLS. if not, your username and your password will be sent to the exit nodes first, and that's really terrible!<br>
<br>
<div><span class="gmail_quote">2008/6/6, defcon <<a href="mailto:defconoii@gmail.com" target="_blank">defconoii@gmail.com</a>>:</span><div><div></div><div>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0px 0px 0px 0.8ex; padding-left: 1ex;">so what do you all suggest if I must authenticate to a non ssl connection? How do I do it anonymously and safely?<br>
<br>
<div class="gmail_quote">On Thu, Jun 5, 2008 at 5:37 PM, Christopher Davis <<a href="mailto:loafier@gmail.com" target="_blank">loafier@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>
<div></div>
<div>On Thu, Jun 05, 2008 at 05:01:34PM -0700, defcon wrote:<br>> What are some good ways to defeat exit node sniffing? Is there a listing of<br>> good exit nodes that do not sniff?<br>> Thanks,<br>> defcon<br>
<br> </div></div>Prefer TLS-enabled services, and mind the authenticity of server certs.<br>Or use Tor hidden services.<br><br>--<br><font color="#888888">Christopher Davis<br></font></blockquote></div><br></blockquote></div>
</div></div><font color="#888888">
<br><br clear="all"><br>-- <br>Use Tor to secure your surfing trace:<br><a href="http://www.torproject.org/" target="_blank">http://www.torproject.org/</a><br><br>My blog: <a href="http://xizhizhu.blogspot.com/" target="_blank">http://xizhizhu.blogspot.com/</a>
</font></blockquote></div><br>
</div></div></blockquote></div><br>