Phishing attacks on Tor anonymisation network

It seems the recently publicised list containing the log-in credentials of e-mail accounts of embassies and government institutions was gathered due to insecure usage of the Tor anonymisation network. The Swede Dan Egerstad, who has also posted the list on his blog, has now explained how he gained access to the 100 log-ins and passwords: he has equipped five Tor exit nodes with password sniffers to analyse the data traffic routed through these nodes. While the Tor network provides IP address anonymisation, it is by no means trustworthy, since anybody can operate an exit node. Although the data is encrypted within the Tor network, the exit nodes have unencrypted access to the data, assuming Tor users send their data without encrypting it themselves. Of course, this behaviour not only affects e-mail log-ins, but also web pages and other data routed through the Tor network.

In the Tor documentation, Tor users are informed repeatedly that they must secure “the last mile” to the target server themselves through a suitable end-to-end encryption mechanism (e.g., SSL, TLS or HTTPS). While this is generally well understood by technically “savvy” users, many inexperienced Tor users are unaware of this requirement or have not addressed it; they do not encrypt their e-mails and other web applications. Related risks for community networks such as Tor are considerably higher than for unencrypted surfing from a DSL connection at home.