It's late at night and you're using the anonymity feature of the Tor "cloud" to mask the fact that your surfing porn. When you're done at 3am, you go to bed thinking "Ha! Fooled 'em again. No one has any idea."
Back on July 11th, I wrote a blog under the headline: Are you the only one with access to that password you recovered? Think again. In that post, I wrote:
A few weeks ago, I was contacted by the CEO of a company whose Web service I’ve been playing around with under non disclosure. She noted that my test account had been inactive for a decent stretch of time and was wondering what was up. “I’ve been real busy” I said. “Besides, I’m not sure I remember my password.” Within seconds, she said “Is this it?” and went on to bark my password across the phone line.
The big deal isn’t that she used an easily wiretapped phone to convey confidential information to me. The big deal is that she had such quick access to my password. We had a conversation about this.
You don't have to be using Tor to anonymize your surfing habits to understand how the story of Dan Egerstad's (thanks Bruce Schneier for the link) arrest just proved the point I made back then in spades. According to The Sydney Morning Herald:
IT WASN'T supposed to be this easy. Swedish hacker Dan Egerstad had infiltrated a global communications network carrying the often-sensitive emails of scores of embassies scattered throughout the world. It had taken him just minutes, using tools freely available for download on the Internet.
Without going to deeply into what Tor is, Egerstad was operating some Tor nodes. Anyone, including you or me can do it and pretty soon, all sorts of traffic will start flowing through the systems under your command. Tor dusts up the trail you leave behind. When you browse a Web site through Tor (and many people do), no one has any idea where you or your computer are because of how Tor anonymizes your IP address. But that doesn't mean the payload is safe. For example, the user IDs and passwords being used to access inboxes on mail servers. Most such access is not done over secure protocols -- especially when it's browser-based access -- and Tor does nothing to secure those payloads. You're IP address might as well be coming from Mars. But if you're transmitting user IDs and passwords over unencrypted links, does your IP address really matter?
Yesterday, via e-mail, Dave F wrote to me:
I read your posts earlier this year about email security and secure password recovery with interest. Some commenters noted that most web based email systems only provide an SSL connection for the sign-in page and then go to a insecure page to display your emails. I've also noticed that you've mentioned Facebook recently.
Have you ever noticed that Facebook's sign-in page is not SSL secured? I'm no expert but it seems to me that our passwords are being transmitted over the Internet in the clear. This concerns me mostly because your Facebook user name has to be an email address. I'll bet that 90% of web based email users who also use Facebook use the same user name and password for both services. Find out my Facebook password and you can also sign in to my Gmail, Google Finance, Google Calendar, Google Docs and anything else that starts with Google.
Good friggin' question Dave. One small note of comfort: Some services, FaceBook included, offer an SSL-login option. When going to the login page, try prefacing the URL with "https:" instead of "http:" and see what happens. This works for GMail and Google Apps. It also appears to work for FaceBook's login page. But for those of us who are unaware of this option (FaceBook certainly doesn't default to it and I wish it would), most don't realize is that humans still have access to the path our data takes, even when that path cuts through the Tor cloud. At that point, many of us are blindly entrusting our senstive information to whoever has access to that path.
Egerstad had access to that path for some number of Tor users. The result? He sniffed the wire and found out all sorts of confidential information. He wasn't caught red-handed in the act. He apparently notified a bunch of countries of his discovery. "Yes yes Daniel... thank you very much... go back to whatever World of Warcraft fantasyland you came to us from and have fun." So Daniel published a bunch of his surreptitiously gathered data onto the Web. THAT got the governments' attention. The authorities too. He was arrested. My gut tells me that the theory that he was actually onto hackers (who else would anonymize their access to the email accounts of government officials?) is a good one.
But even more sure is the gut feeling that a lot of us are transferring sensitive data through systems that we don't know exist, and that are under the control of people who are only human, if you get my drift.