Downloading attachments with Tor - is this secure?

Matthew pumpkin at cotse.net
Sat Jun 19 07:34:15 UTC 2010


Hi,

I think my question was so basic that I explained it badly.  I had seen
the page Justin suggested previously but it did not answer my simple
question.

Let me try again.

When you are go into for example Yahoo webmail (without Tor) and
download an attachment (say a Word document or a photo) then your
browser asks you where on your hard drive you wish to save that
attachment.

Then do the same thing using Tor (and Polipo).

I assume the attachment downloads from Yahoo Mail (or whatever) through
the three Tor nodes before being unencrypted at the final node and then
is downloaded to my computer.   In other words: the attachment (or for
that matter any file downloaded in the same way) is never downloaded
"outside" the Tor system - that is directly from the website to me
bypassing the Tor nodes?

Basic I know!

Thanks!



Aplin, Justin M wrote:
> On 6/18/2010 3:06 AM, Matthew wrote:
>> Apologies in advance for the basic-ness of this question.   I cannot
>> find the answer with Google or in the Tor documentation.
>
> I believe the answer you're looking for is #4 here: 
> https://www.torproject.org/download.html.en#Warning
>
>> In these cases, how is the file downloaded?  Does the download happen
>> through HTTP/S?  If I am using Polipo and Tor then I assume the file is
>> downloaded as HTTP/S and goes through the Tor nodes like any "normal"
>> HTTP/S traffic.
>
> This depends on where you're downloading from. Tor encrypts everything 
> between you, the clients in your circuit, and the exit node. However, 
> when traffic enters or leaves the exit node, it is *exactly* as if the 
> exit node were visiting that website for itself. So, if you are 
> downloading over standard HTTP, *nothing between the website and the 
> exit node will be encrypted*. This usually isn't a terrible problem 
> with downloads that don't contain any personal information that leads 
> back to you, as it would be extremely difficult to follow the 
> encrypted data over several hops through the network.
>
> *However*, as the documentation says repeatedly, use HTTPS wherever 
> possible, *especially* when communicating sensitive information that 
> could lead back to you. This way, the traffic between the exit node 
> and website is encrypted, and doubly so between you and the exit node. 
> Much less will be gained by examining the traffic coming to/from the 
> exit. Hope that answers your questions.
>
> (Side Note: the above does not pertain to .onion websites or other 
> hidden services, which are contained completely within the network.)
>
> ~Justin Aplin
>
> ***********************************************************************
> To unsubscribe, send an e-mail to majordomo at torproject.org with
> unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/
>

***********************************************************************
To unsubscribe, send an e-mail to majordomo at torproject.org with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/



More information about the tor-talk mailing list