[tor-talk] Exit snooping 'research'

thecarp thecarp at gmail.com
Thu Feb 24 20:10:56 UTC 2011


On 02/24/2011 07:27 AM, Olaf Selke wrote:
> Am 24.02.2011 08:45, schrieb grarpamp:
>
>> There is NO way to detect passive monitoring unless you have access
>> to the monitor.
> for each exit node I can set up a unique decoy email account one a
> machine controlled my myself, access it over unencrypted pop or imap
> sessions thru Tor and wait for a second login from a rogue exit operator
> trying to steal my mails. That's no rocket science.
>
It isn't, but nor is just passively capturing and just using whats
captured. There is no law of sniffing that says the person sniffing HAS
to take the bait every time. If he is content to just get what comes
over his wire and stick with that.... he still gets whatever emails that
you downloaded.

It also doesn't prove that the operator was complicit. That the sniffing
was happening along a path between only one node and your email server,
doesn't actually prove that it was happening at the node.

Admittedly, with the sort of exit policies that started all this, it
would be quite a preponderance of evidence but, still not hard proof.
Though, given the relative innocuousness of being on the bad exits list,
hell.... its hard to say definite proof is needed.

This would actually be quite an interesting test. Anyone taking bets on
how many nodes lead to compromised account passwords? I am guessing at
least a handfull, maybe as many as a dozen?

Of course, an operator with multiple bad nodes might notice if you used
the same sever/account with different passwords over a short period of
time. Might need to vary servers/accounts a bit to be really
thorough.... but... that is probably overkill.



More information about the tor-talk mailing list