As comments get less attention than regular entries, I've taken the liberty to turn Shava Nerad's comment into a full post, as he or she points out some very important points in regards to security on the internet, and not just when using tor. Thanks for the feedback and time, Shava!
Thanks for your defense of Tor! I need to point out that, although the Tor network was used in this case, probably millions of usernames and passwords are exposed on unencrypted wireless, daily, all over the world.
It is important, I think, to understand that you should never give a username and password to a web site that has an "http" address, only to "https" addresses. A connection through Tor can be encrypted end-to-end -- but only if one is communicating with a secure protocol -- https: or encrypted chat both would be examples of this.
We are very careful, usually, to only put a credit card into a web page that has a "lock" symbol in the corner of the browser window. Everyone should be equally careful never to give a username and password to a page that is not "locked" -- not secure.
You should at the least use different passwords for insecure accounts, like those at theregister.co.uk and wired.com (which ran the embassy story today), which ask you to give a username/password on an unencrypted link. But even this can open you up to people posting things you wouldn't wish to have said in your name.
It is only through understanding our security online -- through understanding tools such as Tor, and what https: means, and what a phishing attack is, and so on, that we can manage our risks online.
The last node through which traffic passes in the Tor network does not in fact need to pass data to the destination unencrypted -- if the origin and destination are using a protocol that supports encryption.
You wouldn't say that the people who make your backup software are at fault if they don't force you to back up your files regularly. We, like the backup software creator, warn people in our documentation that the protection of Tor is not foolproof without educated and disciplined use. And like backup software, if you don't use it right, it can do nothing to change what has already occurred.
We have advised, and continue to advise users of the Tor network to use encryption end-to-end whenever it is prudent and/or possible. But those end-to-end encrypted products (https, encrypted versions of email and chat) are available to the users in many forms -- it would not be proper for us to dictate what people should use, but only encourage them to take precautions.
Shava Nerad
Development Director
The Tor Project
Comments
After a couple days of chasing blogs, it's wonderful to see that someone appreciated something I wrote! It's a bit easy to feel like a voice crying in the wilderness on this stuff...
*thanks*!
Shava
p.s. I'm female, btw, for future reference :)
Posted by: Shava Nerad at September 12, 2007 1:00 PM
I always read the comments too! ;-)
Posted by: Nadia at September 17, 2007 8:22 AM