[tor-talk] When to use and not to use tor.

Seth David Schoen schoen at eff.org
Sun Jun 12 06:22:40 UTC 2011 

Joe Btfsplk writes:

> I'm not a guru in this dept - only what I've read.  Reason usually
> given not to use Tor for Banking is because the Tor exit node has to
> send unencrypted data to your target site (like bank PWs).  Unless
> your communication w/ that site was somehow encrypted (& a login PW
> wouldn't be).  A malicious exit node operator could sniff the
> packets coming thru the relay.

Your communication with an online banking site usually _would_ be
encrypted with HTTPS, which would encrypt your login password.  For
instance, if you were banking with Bank of America, you would normally
start your login process at

https://www.bankofamerica.com/

This encryption is complementary to Tor because Tor protects the anonymity
of where you're connecting from, while HTTPS protects the confidentiality
of your communications, including the password.

There's a different problem with using Tor for online banking: some
financial institutions consider it a likely sign of fraud attempts,
since (for most financial institutions) few legitimate customers
currently try to hide their location from the financial institution,
but many people committing fraud do.  If the financial institution
misinterprets your Tor use as a sign of fraud, they might block your
on-line access or restrict it in some way.

> Just visiting a site where you're not required to enter private data
> doesn't allow a malicious exit node operator (or anyone else) to
> capture private data.  In the case of banking, instead of just
> making a direct connection between you & the bank https (using SSL /
> TLS), using Tor is introducing an "unknown" 3rd party.  That's
> basically  why.

Although Tor is introducing an unknown third party, it doesn't in any
way prevent you from also using HTTPS to protect your communications
against that third party.  In fact, all the published Tor documentation
strongly urges Tor users to always use HTTPS for this reason, and the Tor
Project is co-developing HTTPS Everywhere with EFF for this reason, and
has now included it with the Tor Browser Bundle.

> Same thing w/ unencrypted email.  An exit node could intercept it
> (though by far, most don't), but if it's really confidential info,
> don't send unencrypted email thru Tor.  If it's that confidential,
> you might out to encrypt email anyway.  There are services (like
> Hush Mail) - for max privacy, I'd opt to install their software vs
> doing everything on their servers.

But if you're using webmail, you could use HTTPS to connect to the
webmail operator over Tor, thereby protecting your e-mail from the
exit node operator.

> Also a Firefox addon, Enigmail that allows using open PGP (GNU PG)
> encryption in a client like Thunderbird.  Haven't used it, but been
> thinking of checking it out.

This can be complementary to Tor _and_ HTTPS, because e-mail encryption
protects your e-mail contents from your e-mail service provider and the
other person's e-mail service provider.  I think it would be nice to
have a threat-model diagram to show what's meant to protect you against
whom, but let me try to summarize in text:

Suppose you're using Hotmail (Windows Live Mail) and e-mailing with your
friend who's using Gmail.

If you didn't use any security tools, then, among other things,

* other people on your wifi network would see what you're doing and could
  steal your password or read your e-mail;
* your ISP could do the same thing;
* the other ISPs that carry your communications to Hotmail could do the
  same thing;
* Hotmail would record your IP address, so they would know where you are
  connecting from, which could be used to trace your identity or location
  later on;
* Hotmail could read the e-mail that you ask them to deliver;
* the ISPs that carry your communications between Hotmail and Gmail could
  read the e-mail too (depending on whether Hotmail and Gmail are
  successfully using a security technology called ESMTP STARTTLS);
* Gmail could read the e-mail at any time after it's delivered to them;
* depending on how securely your friend accesses Gmail, other people like
  your friend's ISP might be able to read the e-mail as your friend opens it.

Also, people who are doing wiretaps (like tapping fiber optic cables or
microwave links) could read the communications between ISPs, perhaps
with the ISPs' knowledge or perhaps without it.  This goes to show that,
in the absence of security technology, there are plenty of entities that
might be in a position to spy on you in some way.

Different security tools try to address very different parts of this
problem.

Primarily, Tor tries to address the "Hotmail would record your IP address"
problem.  It incidentally solves the "other people on your wifi network"
and "your ISP" problems while adding a new, related problem: "the Tor exit
node operator could spy on you and read the e-mail".

Using HTTPS to connect to Hotmail addresses the "other people on your
wifi network", "your ISP", and "the other ISPs" problems, and, if you're
using Tor, it also addreses "the Tor exit node operator could spy on you"
problem.

Using GPG addresses the "Hotmail could read the e-mail" and "Gmail could
read the e-mail" problems.  It partially addresses all the problems
related to any ISP reading the e-mail: it prevents any of the ISPs from
understanding the content of the message, but it doesn't conceal the fact
that you're e-mailing a particular person at a particular time.

-- 
Seth Schoen  <schoen at eff.org>
Senior Staff Technologist                       https://www.eff.org/
Electronic Frontier Foundation                  https://www.eff.org/join
454 Shotwell Street, San Francisco, CA  94110   +1 415 436 9333 x107

More information about the tor-talk mailing list