New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Using HTTPS solves these issues. Tor provides anonymity, not security or privacy; those attributes should be implemented in the application layer.
Problem there are some Russian VPNs doing the same thing. And routers sometimes get hacked to distribute malware.
Internet services should take these kinds of issues as proof that widespread adoption of secure protocols is critical.
Such amaze, you trusted someone so much that you downloaded an .EXE file through their sodding computer, and shockingly, they turned out not to be an upstanding gentlemen with unwavering dedication to high moral standards!
In other news, people not knowing what a tool is, what it does, and how to properly use it, shoot themselves in the foot from a nail gun, emptying a full clip before noticing that anything is wrong. More at 11.
@rm_ said
Do I detect just a tiny tiny bit of sarcasm in your post? lol
I've occasionally tried to follow the logic of individuals advocating the use of Tor...
rm_, can you define "how to properly use it"?
@perennate
Tor forces SSL, but some exit nodes may run malware that strips the SSL. The only real defence against that (AFAIK) are people who report it.
That has been answered already by @perennate. Use HTTPS. It provides assurance that the content you receive (doesn't matter through Tor, or otherwise) does indeed come from the website that you're connecting to, and has not been tampered with or intercepted by others in transit.
If a site does not support HTTPS, do not log-in into it via Tor (or on open WiFi networks etc), and don't download any executable code to run on your computer.
One of the things that will help is if we all run more exit nodes without any funny encapsulation stuff on them.
I agree. And "issue" is not real issue and not something new. But like all this days, they try to say something about TOR to take down even more reputation of this service.
No, best way to help is to use secure application-level protocols. Here's the part of the only email on the tor-talk mailing list about this obviously minor incident:
I'm not a Tor developer and useless at coding, so I guess running a few exits is the best I can do
It just seems like the only morally sound reason for using such a thing is due to lack of freedom of speech in a particular jurisdiction, however it seems like the end-user has to be armed with a respectable amount of technical knowledge in order to use it safely, which makes it less than a great 'product'. I'm not familiar with the alternatives, or even used Tor, but it just seems like potentially more trouble than it's worth.
There is nothing in Tor software suite that can fully solve this issue; as I said Tor provides anonymity, not encryption/privacy (although if you are using hidden service then I think it does have end-to-end authentication/encryption). What I meant was, if you run any websites or mail servers you should make sure they use SSL/TLS, and encourage other website operators (e.g. @jbiloh) to do the same. The issue presented in OP is not Tor-specific, it applies to any situation where your traffic is routed through untrusted infrastructure (I guess most people trust their ISP to some extent, but still includes public VPN/wifi as @rm_ said).
Is someone here running an exit node?
I wonder which provider would allow it.
A while back an op in the online.net IRC channel said it was OK as long as it was legal and I resolved all abuse complaints. So far no abuse complaints on my 3 exits, although I have triggered the OVH anti hack on my Kimsufi with people trying to hack SSH and telnet boxes - I now only allow exiting on port 80 and 443 on OVH.
OVH/Kimsufi TOS says public proxies/TOR is banned if they generate abuse, but no actual complaints have been had.
You will get complaints. 443 and 80 generate a lot of abuse reports. I had like 1 a week when running that, most idiotic, like an admin at an university threatening my provider with lawsuits because the credentials of his mailboxes have been leaked through other means and someone was sending spam over 443 using those stolen credentials over Tor. Other people complaining they are blocking some countries and those people still get in by using Tor, so, Tor is to be blamed. I mean, if you can block countries, you can block Tor. All exits are public.
There are also the fraudsters which buy online over 443 from poor sad shops which do not block Tor and dont use maxminds or equivalent, etc.
I allow only at home, only the following protocols: streaming (many), mail (pop3, imap), secure mail (465, 995, 993), chat protocols (excluding IRC), VoIP (sadly this does not work well over Tor, but it can be tweaked by experts), and that is about it. Due tot he nature of my dynamic IP the traffic is not big as the nodes are treated as unstable, but in good days I reach 300 GB a day, bad days (bad power and changes I make in the network knocking the nodes offline multiple times) it goes for like 50 GB or so. Only exit traffic.
All the other nodes are relays only. I never hosted .onion sites, i believe a flog is better as freenet was designed with this in mind, not only to forward, but also store at least short term.
For accessing content on the internet at large, such as media organizations blocked in china, iran or pakistan, for example, BBC, CNN, Twitter, Facebook, Youtube, you have to use Tor, as well as for email if you have to use gmail, for example, for publishing stuff, sharing with friends completely untraceable on darknets, you should use freenet and similar. If your friends dont know how, teach them.