Comments on: Tor: Exploiting the weakest link

By: Chris

Chris — Tue, 17 Dec 2013 00:17:35 +0000

"/etc/init.d/tor start" starts tor as: /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc --hush

how do i get rid of --hush?

By: lucaskauffman

lucaskauffman — Wed, 27 Feb 2013 06:54:13 +0000

We didn't need the password, but the session id contained in the cookie.

By: Dan

Dan — Sat, 12 May 2012 05:19:15 +0000

“if you do not explicitly state https for the facebook login page, your password and username is sent PLAIN TEXT over the internet.”

Are you sure about that?

“

By: Lucas Kauffman

Lucas Kauffman — Wed, 11 Apr 2012 08:28:19 +0000

We had a lot of facebook traffic coming by, I think that it covered about 40% of all requests we did (we counted them but I do not have the number anymore). Some of it was indeed https, but still a lot was just plain http. I do not know why the https anywhere plugin didn't work. We didn't modify anything special on the exit node. You can always have a got at it yourself all the commands are displayed in the video.

By: CodeInChaos

CodeInChaos — Tue, 10 Apr 2012 20:42:45 +0000

TOR Browser contains the https anywhere plugin, so I'm a bit surprised by your facebook numbers.

Simple sniffing of connections is one of the most obvious issues with using TOR, and is relatively simple to mitigate.

I'm more afraid of rogue exit points linking visits to multiple sites. Preventing this requires a lot of discipline by the user, or significantly improving software(both the browser and TOR) and possibly even protocols.