[tor-talk] When to use and not to use tor.

Joe Btfsplk joebtfsplk at gmx.com
Tue Jun 14 22:33:43 UTC 2011 

On 6/12/2011 1:22 AM, Seth David Schoen wrote:
>
> Your communication with an online banking site usually _would_ be
> encrypted with HTTPS, which would encrypt your login password.  For
> instance, if you were banking with Bank of America, you would normally
> start your login process at
>
> https://www.bankofamerica.com/
You are correct Seth.  I misspoke when I said login info on an encrypted 
site would not be encrypted - it would be.

I'm not sure of the answers to questions I'm posing - but they are good 
questions.
Note, there are significant differences of the cipher strength of 
encryption used on different HTTPS site - even financial institutions.
How hard would it be for a exit node operator to crack your (captured) 
encrypted PW?  Depends.  If a Tor exit node can capture a packet (and 
they can), what prevents them from using sophisticated software, 
available to any 14 yr old, to try & crack the encryption?  They do know 
the packet was headed to SomeBank.com.

If Fernan's goal is anonymous online banking, I guess he'll need to use 
some proxy.  What does anonymous banking mean - not wanting your ISP to 
know which bank sites you use (even if they can't see encrypted data)?  
Once logged in, the bank pretty much knows it's you.

Just a thought - what if one logged directly into their bank's encrypted 
site - using no proxy & their site was hacked (their site, not your 
computer).  Or something goes wrong using a 3rd party of any kind to log 
into bank's site, and you tell them / they find out, "I was using Tor 
(or other) to login & the 3rd party intercepted my info."

In which case is the bank likely to be more sympathetic?  I don't know 
that using Tor or other proxies enhance security of  logging into secure 
sites at all.  AFAIK, Tor is intended to increase anonymity, not 
security.  There are regularly many, many new posts & articles about 
ongoing experiments on capturing & evaluating Tor traffic (and I'm sure 
other proxies).  What was impossible yesterday is often common tomorrow.
> But if you're using webmail, you could use HTTPS to connect to the
> webmail operator over Tor, thereby protecting your e-mail from the
> exit node operator.
HTTPS would protect it from an exit node, but not from from the email 
provider or from gov'ts of most technologically developed countries.  If 
you want to be sure others besides the recipient aren't reading your 
email, use encryption.  Even then, unless you're sure what the recipient 
will do w/ it, or their level of computer security, don't send anything 
in email you might not want others to read.

More information about the tor-talk mailing list