Downloading attachments with Tor - is this secure?

[Aplin, Justin M]

On 6/18/2010 3:06 AM, Matthew wrote:
> Apologies in advance for the basic-ness of this question.   I cannot
> find the answer with Google or in the Tor documentation.

I believe the answer you're looking for is #4 here: 
https://www.torproject.org/download.html.en#Warning

> In these cases, how is the file downloaded?  Does the download happen
> through HTTP/S?  If I am using Polipo and Tor then I assume the file is
> downloaded as HTTP/S and goes through the Tor nodes like any "normal"
> HTTP/S traffic.

This depends on where you're downloading from. Tor encrypts everything 
between you, the clients in your circuit, and the exit node. However, 
when traffic enters or leaves the exit node, it is *exactly* as if the 
exit node were visiting that website for itself. So, if you are 
downloading over standard HTTP, *nothing between the website and the 
exit node will be encrypted*. This usually isn't a terrible problem with 
downloads that don't contain any personal information that leads back to 
you, as it would be extremely difficult to follow the encrypted data 
over several hops through the network.

*However*, as the documentation says repeatedly, use HTTPS wherever 
possible, *especially* when communicating sensitive information that 
could lead back to you. This way, the traffic between the exit node and 
website is encrypted, and doubly so between you and the exit node. Much 
less will be gained by examining the traffic coming to/from the exit. 
Hope that answers your questions.

(Side Note: the above does not pertain to .onion websites or other 
hidden services, which are contained completely within the network.)

~Justin Aplin

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/