How do we defeat exit node sniffing?

Jack Straw JackStraw at xeromail.com
Tue Jun 10 03:51:10 UTC 2008 


F. Fox wrote:
> defcon wrote:
>> so what do you all suggest if I must authenticate to a non ssl
>> connection?  How do I do it anonymously and safely?
> 
> (snip)
> 
> AFAIK, you can't.
> 
> However, there are three personal rules I stick to, when using accounts
> which need a login through Tor. They may or may not apply to your scenario:
> 
> 1.) Any account used for anonymity, must be created through Tor, and
> never have been touched without it.
> 
> 2.) Any such account must, of course, always be accessed through Tor
> after its creation.
> 
> 3.) Any such account must be considered expendable; i.e., if an exit
> sniffer stole the credentials and either locked you out or impersonated
> you, it wouldn't be a real problem.
> 
> If you'd rather not have to follow Rule 3, make sure you use accounts
> with services that use strong encryption - and watch out for accidental
> leaks*.
> 
> 
> *: Supposedly, Gmail's Web interface sometimes leaks, even when using it
> under HTTPS. To minimize such leaks, it's important to switch on POP or
> IMAP ASAP, and use a client with it with SSL/TLS enabled.
> 

I have a question about that, which has puzzled me for quite some time.
Perhaps I'm being too rigid in regards to this.

I have a Gmail account that was created through Tor.
I should say, that this anonymous account is a test account. I use it
for no sensitive communications, however I treat the account as if I do.

  I have only accessed that GMail account through Tor, and my Xerobank
account. Mixing it up. I have  been very cautious in adhering to that.
Well sort of... My bad.

A few months back, in haste, I accidentally accessed the account naked
from my standard IP address. Maybe 2-4 times. That's all. But it happened.

I felt that the account had to be abandoned as it was now "tainted."

But then I thought, "How so?"

Let's say hypothetically, I have accessed that account 1,000 times.
950 times I have logged in using Tor. 48 times I've logged in using my
Xerobank account.

On those few occasions, I've logged in from my home IP.

Logically, how would a potential adversary know where I'm coming from?

For all they'd know, I was traveling, and logged in using a friend's
computer as the access was less than a half dozen times. Unless I'm
missing something, that unintended access really tells them nothing. Or
does it? It may be suggestive, I'd think, but that's it. For some, that
be enough to abandon the account and I understand that.

I accept all that Fox wrote as "Best Practices" and should always be
adhered to. One doesn't want to take risks or play Russian Roulette.

I agree.

But is that account really tainted?

Thanks,

Jack Straw

More information about the tor-talk mailing list