Sensitive e-mail accounts exposed on Tor

September 12, 2007

A few weeks ago, Swedish security specialist Dan Egerstad exposed the login credentials of 100 e-mail accounts used on embassy and government servers. In a recent blog entry, Egerstad disclosed his methodology. He collected the information by running a specialized packet sniffer on five Tor exit nodes operated by his organization, DEranged Security.1

Tor has a known weakness: the last node through which traffic passes in the network has to decrypt the communication before delivering it to its final destination. Therefore the person operating that node can see the communication passing through their server.2

In the Tor documentation, users are informed repeatedly that they must secure "the last mile" to the target server themselves through a suitable end-to-end encryption mechanism (i.e. SSL, TLS or HTTPS). While this is generally well understood by technically "savvy" users, many inexperienced Tor users are unaware of this requirement or have not addressed it; they do not encrypt their e-mails and other web applications. Related risks for community networks such as Tor are considerably higher than for unencrypted surfing from a DSL connection at home.3

Egerstad's findings also help reveal some of the more "interesting" organizations that compose any of the 1,000 Tor exit nodes (the Tor network relies on volunteers to donate their bandwidth - they simply ask that you have at least 20 KBps each way). Among others these nodes include:

* Nodes named devilhacker, hackershaven
* Node hosted by an illegal hacker-groups
* Nodes hosted by criminal identity stealers
* Nodes hosted anonymously on dedicated servers for Tor costing the owner US$100-500 per month
* Nodes in over 50 countries with unknown owners4

But Egerstad is quick to remark that "ToR isn't the problem, just use it for what it's made for." In fact, the Tor FAQ states that "if you are worried about somebody intercepting your traffic and you're *not* using end-to-end encryption at the application layer, then something has already gone wrong and you shouldn't be thinking that Tor is the problem."5

1. "Security expert used Tor to collect government e-mail passwords", Ars Technia, September 10, 2007

2. "Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise", Wired, September 10, 2007

3. "Phishing attacks on Tor anonymisation network", heise Security, September 11, 2007

4. "Time to reveal...", DEranged Security, September 10, 2007

5. "TheOnionRouter/TorFAQ", Noreply Wiki, September 11, 2007