Tor, the tool of choice for bypassing the GFW, should be used with caution. The Tor client connects to random Tor servers across the internet which in turn connect to sites made inaccessible by filtering tools such as the GFW. It’s a tremendously effective proxy service.

But, like all proxy services, it should be used with caution. If it’s used to authenticate to a site your user ID and password can easily be harvested by the Tor server your connection passes through. That’s what happened last month when Dan Egerstad announced that he had captured the login IDs and passwords for about 1,000 email accounts - including those for a number of embassies.

Tor provides anonymity, not security. Anytime you provide your user ID and password you should be using an SSL or a VPN connection. And you should always make sure the SSL certificate is valid.

You can make an SSL connection over Tor, but you should be aware that the encrypted connection is between the exit server of the Tor network and the site you’re going to. That means you should be aware that any information (including where you may be going to) would be captured by Tor servers in the network.

This holds true for any proxy service, free, commercial, or otherwise. What makes Tor superior to these other options (even though performance can be poor) is its anonymity. The connection is made through multiple servers who are only aware of the previous and next links in the chain. Even though one of those servers could be capturing data, it would be extremely difficult to target specific users.

So watch your step, it’s a jungle out there.

Article from the always invaluable Register here.

Share This