Home | Community | Message Board


This site includes paid links. Please support our sponsors.


Welcome to the Shroomery Message Board! You are experiencing a small sample of what the site has to offer. Please login or register to post messages and view our exclusive members-only content. You'll gain access to additional forums, file attachments, board customizations, encrypted private messages, and much more!

Jump to first unread post Pages: 1
InvisibleCrasher
αἱρετίζω
Male User Gallery


Folding@home Statistics
Registered: 03/13/01
Posts: 6,220
Loc: Tardy to the Party
Is SSL Strip a threat to TOR users?
    #9897964 - 03/02/09 04:54 PM (14 years, 10 months ago)

The below link is software and a video from Blackhat DC '09 available through thoughtcrime.org (for the casual security enthusiasts here.)
sslstrip


Does it pose a significant risk to TOR users visiting secure sites?


--------------------
Give me silence, water, hope;
Give me struggle, iron, volcanoes...


Extras: Filter Print Post Top
OfflineSeussA
Error: divide byzero


Folding@home Statistics
Registered: 04/27/01
Posts: 23,480
Loc: Caribbean
Last seen: 2 months, 20 days
Re: Is SSL Strip a threat to TOR users? [Re: Crasher]
    #9901672 - 03/03/09 03:23 AM (14 years, 10 months ago)

> Does it pose a significant risk to TOR users visiting secure sites?

Yes and no.  Based upon the description, only the last onion router in the tor network virtual tunnel would be at danger as it forwards your HTTP request to the actual website.  If somebody were running the hack on your local area network, you would be fine, though people routing through you on the tor network, using you as an end node of their virtual tunnel, would not be safe.  Intermediate nodes in the tor network virtual path would be safe as the requests they send are encrypted and would not be seen as HTTP requests for sslstrip to snarf.


--------------------
Just another spore in the wind.


Extras: Filter Print Post Top
OfflineAlan RockefellerM
Mycologist
Male User Gallery

Registered: 03/10/07
Posts: 48,274
Last seen: 2 hours, 2 minutes
Re: Is SSL Strip a threat to TOR users? [Re: Crasher]
    #9912179 - 03/04/09 06:02 PM (14 years, 10 months ago)

Quote:

Does it pose a significant risk to TOR users visiting secure sites?




I don't think its a big risk because sslstrip would have to be run on the tor exit node.  While anyone can set up a tor exit node and do bad things to the traffic, they still probably wouldn't know who you are.  Also they would have little control over which exit node your traffic goes out so its likely that most of your traffic wouldn't go past the malicious exit node. 

Its a much bigger risk if the attacker was on your local network and you weren't using tor.  A malicious network engineer could do many bad things with sslstrip, but tor would provide a reliable layer of protection against that. 

I recommend SSH tunneling because its much, much faster than tor.  As long as sslstrip isn't set up on the ssh hosts network that will also provide near complete protection.


Extras: Filter Print Post Top
InvisibleCrasher
αἱρετίζω
Male User Gallery


Folding@home Statistics
Registered: 03/13/01
Posts: 6,220
Loc: Tardy to the Party
Re: Is SSL Strip a threat to TOR users? [Re: Alan Rockefeller]
    #9912307 - 03/04/09 06:31 PM (14 years, 10 months ago)

My friend offered to educate me on SSH tunneling, do you have any good resources on this?


--------------------
Give me silence, water, hope;
Give me struggle, iron, volcanoes...


Extras: Filter Print Post Top
OfflineAlan RockefellerM
Mycologist
Male User Gallery

Registered: 03/10/07
Posts: 48,274
Last seen: 2 hours, 2 minutes
Re: Is SSL Strip a threat to TOR users? [Re: Crasher]
    #9913803 - 03/04/09 10:22 PM (14 years, 10 months ago)

http://www.google.com/search?q=ssh+tunneling+web+connections


Let me know if you have trouble getting it to work. 


Extras: Filter Print Post Top
InvisibleCrasher
αἱρετίζω
Male User Gallery


Folding@home Statistics
Registered: 03/13/01
Posts: 6,220
Loc: Tardy to the Party
Re: Is SSL Strip a threat to TOR users? [Re: Alan Rockefeller]
    #9914290 - 03/04/09 11:35 PM (14 years, 10 months ago)

I just got pwned with a google search link. Thanks!


--------------------
Give me silence, water, hope;
Give me struggle, iron, volcanoes...


Extras: Filter Print Post Top
Jump to top Pages: 1


Similar ThreadsPosterViewsRepliesLast post
* RE: Building an SSL equiped proxy Mobius_Strip 1,868 4 03/24/05 10:53 PM
by Mobius_Strip
* Tor: An anonymous Internet communication system garbage 932 1 04/10/05 08:59 AM
by newuser1492
* tor/privoxy configuration w/ azureus? atlas 757 1 03/06/06 08:17 AM
by OJK
* A Little SSL maybe???? Elemicin 335 1 09/22/05 05:43 PM
by Ythan
* Hushmail rats users to feds eeso 915 9 11/14/07 04:25 PM
by eeso
* Server logs and SSL Anonymous 456 7 11/10/08 09:13 AM
by Mushroom_Mike
* Tor/Privoxy does nothing? Disco Cat 1,762 15 03/25/07 05:18 PM
by Taharka
* Tor and Privoxy Zepplin 2,914 1 11/16/06 04:38 PM
by OJK

Extra information
You cannot start new topics / You cannot reply to topics
HTML is disabled / BBCode is enabled
Moderator: Enlil, Alan Rockefeller
303 topic views. 0 members, 0 guests and 2 web crawlers are browsing this forum.
[ Show Images Only | Sort by Score | Print Topic ]
Search this thread:

Copyright 1997-2024 Mind Media. Some rights reserved.

Generated in 0.026 seconds spending 0.007 seconds on 15 queries.