Web founder warns against website snooping (Tim Berners-Lee)

CNN Money ^ | 3/13/09 | Jonathan Lynn

[ConservativeMind]

When using a medium such as Tor, do you have a clear man-in-the-middle issue, meaning your encrypted names and passwords are taken from you? This is the issue.

Read the articles. You have no freaking idea who is spoofing your encrypted session with Tor. And I would bet it is someone with bad intentions.

[joseph20]

I already responded to that article.

The users were tricked into sending their username/password credentials to a fake website setup to look like the real one. That’s called phishing. Tor doesn’t claim to protect users against phishing.

[joseph20]

"When using a medium such as Tor, do you have a clear man-in-the-middle issue, meaning your encrypted names and passwords are taken from you? This is the issue."

Sure, a man-in-the-middle can take my encrypted passwords. So what? It will take many many years to crack it with a brute force attack.

"Read the articles. You have no freaking idea who is spoofing your encrypted session with Tor. And I would bet it is someone with bad intentions."

Spoofing a website is called phishing. Tor doesn't claim to prevent this sort of attack. If you send your username/password to a FAKE website, nobody can help you. Solution is: Don't send your username/password to FAKE websites!

[ConservativeMind]

No, you didn't read them. If you had, you'd realize that the technique passed them through to the real site after harvesting their names and passwords, but fed them back a fake URL which looked identical to the one they meant to visit, along with having an SSL certificate that was deemed legitimate. For yourself and others reading:

Two-fold Technique

SSLstrip manages to fool the user into believing he has an encrypted connection with the intended website through several clever slights on hand. First, the tool uses a proxy on the local area network that contains a valid SSL certificate, causing the browser to display an “https” in the address bar.

Second, it uses homographic techniques to create a long URL that includes a series of fake slash marks in the address. (To prevent browsers from converting the characters to punycode, he had to obtain a domain-validated SSL wildcard cert for *.ijjk.cn).

“The diabolical thing is it looks like https://gmail.com,"; Marlinspike told The Register. “The problem is this bridge between http and https and that is a fundamental part of how SSL is deployed on the web. Changing that is not gong to be easy.”

Marlinspike has successfully used the ruse on people using both the Firefox and Safari browsers. While he hasn't tested it on Internet Explorer, he assumes the technique works there too. And even if it doesn't, he says there's plenty of reason to believe even security-cautious users don't take the time to ensure their sessions are encrypted.

To prove his point, he ran SSLstrip on a server hosting a Tor anonymous browsing network. During a 24-hour period, he harvested 254 passwords from users visiting sites including Yahoo, Gmail, Ticketmaster, PayPal, and LinkedIn. The users were fooled even though SSLstrip wasn't using the proxy feature that tricks them into believing they were at a secure site. Sadly, the Tor users entered passwords even though the addresses in their address bars didn't display the crucial “https.” (Marlinspike said he later disposed of all personally identifiable information).

[ConservativeMind]

There was no fake website for anything. There was only a fake URL and a real (but illegit SSL certificate) given, but the real website was passed through.

No fake websites, so no “spoofing a website” as you claim.

Read the article. I’m losing my patience.