Since two years, Global Voices Online publish a guide titled “Anonymous Blogging with WordPress & Tor”:
http://advocacy.globalvoicesonline.org/projects/guide/
The guide was recently (2011-11-15) linked to from a Wired.com article by Andy Baio on the topic of reverse Google Analytics ID lookup as a method for revealing the identity of people blogging anonymously while tracking several websites with the same Google Analytics account: http://www.wired.com/epicenter/2011/11/goog-analytics-anony-bloggers/all/1
The guide from Global Voices Online, last updated in March 2009, contains a a lot of good advice and useful information, but also one serious flaw: It claims webmail services that do not provide an HTTPS connection are safe as long as you access them via TOR. This is wrong. This usage scenario adds a risk. I quote:
“Hotmail and Yahoo don’t offer secure HTTP (https) interfaces to webmail – again, this doesn’t matter so long as you use Tor every time you use these mail services. ”
In fact, the opposite is more true: Using TOR when accessing a web mail service that does not run under HTTPS – or any web based service running with regular HTTP where you submit a private username and password – poses a greater risk than not using TOR. The reason is that when using TOR, your internet traffic passes through a large number of TOR servers, all of which are set up and run by volunteers. There is no qualification mechanism for running a TOR server: anyone can set up a server, and anyone can volunteer to let their particular TOR server function as a so called Exit Node. An Exit Node is a TOR server where the TOR user’s internet traffic finally leaves the chain of TOR servers and goes out to its destination. The owner of a TOR exit node server can sniff, inspect and copy any of the data packages going out to the internet through that machine. No internet traffic from other internet users will pass through another internet user’s PC – but running a TOR server is an easy way of “pulling in” other people’s internet traffic to pass through your machine . This opens for sniffing personal information such as email usernames and passwords – or at least email message content. Only if the webmail service is using HTTPS in all parts will the TOR exit node server be unable to read what the webmail user is receiving and sending, since the data will be encrypted between the webmail server and the user’s browser.
So, is this big news? No. It has been well know for many years. The most famous case is from 2007, namely that of the Swedish security consultant Dan Egerstad who set up five servers, volunteering them as TOR exit node servers, and collected a massive amount of usernames and passwords, many of them from various foreign government bodies:
Evesdropping on TOR traffic: http://lwn.net/Articles/249388/
Researchers at Kaspersky very recently demonstrated that this kind of evesdropping goes on all the time: http://www.kaspersky.com/images/Sambuddho%20Chakravarty-10-108180.pdf
Regards, Kjell A.
iOSINT - information on Open Source Intelligence 