[Freedombox-discuss] Onion Pi
On 17 Sep 2013 15:32, "Petter Reinholdtsen" <pere at hungry.com> wrote:
> or by configuring privoxy, dnsmasq and redsocks with iptables to pass
> all traffic passing through the Freedombox via Tor.
>
> Is there some reason not to do this by default?
Hi!
There are some good reasons not to run unencrypted traffic through Tor:
- malicious exit nodes will be studying all unencrypted traffic passing
through them - badly-secured websites still send session cookies
unencrypted, for example.
- the exit node can very easily inject arbitrary Javascript into the web
page. This is bad. I don't think Javascript-enabled browsers should use
Tor. (Ditto for Flash/Java.)
For fully encrypted traffic, you still need to be careful of MITM attacks.
Again this is easy for a malicious exit node. You can think of Tor as
subjecting yourself to a deliberate MITM. :)
I have heard anecdotal evidence that the above is happening routinely on
Tor, FWIW.
Tim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130917/ffeedddb/attachment.html>
Reply to: