There’s an interesting story at The Register about the recent leaking of embassy credentials amongst others, by an individual in Sweden.
The story is that someone set up some Tor exit nodes and then sniffed the traffic that came out over them.
There’s several interesting points that come out from this, I think.
- Understand the type of security provided by a system. Tor is not end-to-end encryption and you are trusting the exit node as you would trust an ISP router.
- What was done here can be done by any ISP employee. A Tor exit node is essentially like an ISP router. Anything that can be gained by sniffing a TOR exit node could also be gained by any employee of an ISP for the traffic that that ISP handles.
- Embassy users are logging on to their services in the clear!? The main problem here seems to be that embassy staff are logging on to e-mail systems in the clear over an untrusted network (the Internet). It seems odd that they’d go to the trouble of using Tor to anonymise their traffic but not go to the trouble of using SSL or an equivalent to protect their logon credentials end-to-end…