HTTPS over TOR

Discussion in 'Computer Security' started by Mr User, May 11, 2006.

  1. Mr User

    Mr User Guest

    Quick question!

    If I visit a web site using HTTPS (SSL) while running Tor/Privoxy will
    the host site see my true IP or the Tor exit node IP.

    Thanks

    PS If this is the wrong group do please direct me to the correct group.
     
    Mr User, May 11, 2006
    #1
    1. Advertising

  2. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    Mr User wrote:

    > Quick question!
    >
    > If I visit a web site using HTTPS (SSL) while running Tor/Privoxy will the
    > host site see my true IP or the Tor exit node IP.


    The Tor exit node IP. The SSL connection is basically "tunneled" through
    Tor just like any other connection.

    An off the wall comment though, I believe that during an SSL handshake the
    client (you) suggests connection parameters like SSL version and key
    exchange, and the server accepts or rejects those suggestions. This
    *might* mean that you could be partitioned by version number or uniquely
    identified by an individually crafted SSL certificate if you're not
    careful. Careful, as in paying attention to any warnings about funny
    certificates and such.

    But these little niggles aside you're as secure as you can be. A bit more
    secured than just using plain vanilla HTTP because the Tor exit node can't
    see any content. They know where you're going, not what you're doing.

    > PS If this is the wrong group do please direct me to the correct group.


    This sort of discussion takes place quite a bit in alt.privacy and
    alt.privacy.anon-server, but there's no reason it can't be discussed here.
    In the future you might want to pose your questions there also.
    -----BEGIN PGP SIGNATURE-----

    iD8DBQFEY8Ntno5iexlRIBERA95HAKCiB1j1OO3OkbMkcbczwPVv/bMIOgCgik4I
    nu2ttYGgVZdB8PtCjkJRgUU=
    =vCvl
    -----END PGP SIGNATURE-----
     
    Sheik Yurbhuti, May 12, 2006
    #2
    1. Advertising

  3. Mr User

    Mr User Guest

    Sheik Yurbhuti wrote:
    > Mr User wrote:
    >
    >> Quick question!
    >>
    >> If I visit a web site using HTTPS (SSL) while running Tor/Privoxy will the
    >> host site see my true IP or the Tor exit node IP.

    >
    > The Tor exit node IP. The SSL connection is basically "tunneled" through
    > Tor just like any other connection.
    >
    > An off the wall comment though, I believe that during an SSL handshake the
    > client (you) suggests connection parameters like SSL version and key
    > exchange, and the server accepts or rejects those suggestions. This
    > *might* mean that you could be partitioned by version number or uniquely
    > identified by an individually crafted SSL certificate if you're not
    > careful. Careful, as in paying attention to any warnings about funny
    > certificates and such.
    >
    > But these little niggles aside you're as secure as you can be. A bit more
    > secured than just using plain vanilla HTTP because the Tor exit node can't
    > see any content. They know where you're going, not what you're doing.
    >
    >> PS If this is the wrong group do please direct me to the correct group.

    >
    > This sort of discussion takes place quite a bit in alt.privacy and
    > alt.privacy.anon-server, but there's no reason it can't be discussed here.
    > In the future you might want to pose your questions there also.


    Many thanks.
    I was just curious when using Torrified connections with Hushmail. I
    will indeed subscribe to alt.privacy.anon-server but find alt.privacy
    more a news resource.
     
    Mr User, May 12, 2006
    #3
  4. Mr User

    Guest

    As Sheik Yurbhuti already mentioned, you should pay attention to the
    certificates: the Tor exit node is in the favorable position to perform
    a MITM attack against SSL.

    You might want to configure Tor to avoid to exit in certain places.
     
    , May 12, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. MiLi
    Replies:
    2
    Views:
    8,468
  2. Mark

    Re: WTF happened to Tor?

    Mark, Jan 5, 2005, in forum: Computer Security
    Replies:
    8
    Views:
    603
    Doctor
    Jan 7, 2005
  3. Jon Doe
    Replies:
    1
    Views:
    765
    John Oliver, Jr. [MVP]
    May 30, 2007
  4. koraykazgan

    Call WebService over https via proxy...

    koraykazgan, Aug 16, 2007, in forum: Software
    Replies:
    0
    Views:
    1,372
    koraykazgan
    Aug 16, 2007
  5. Theo Markettos

    VOIP over VPN over TCP over WAP over 3G

    Theo Markettos, Feb 3, 2008, in forum: UK VOIP
    Replies:
    2
    Views:
    970
    Theo Markettos
    Feb 14, 2008
Loading...

Share This Page