Friday, 17 July 2009

Using the Web Anonymously

While writing a short article that explains how to use the web anonymously, I remembered that someone had used the Tor anonymising network to capture email passwords. I found an interesting article about this at LWN.net. The upshot is that there can be a significant difference between privacy and security.

An anonymising service will hide your IP address from the servers you access, which means that you enjoy an element of privacy because the website doesn't know it is 'you' calling. However, the minute you authenticate (such as when you enter a username and password) you identify yourself.

Passwords are a security measure - you don't want other people to access your email, for example. The server knows it's you now, because you've logged in, which means that there was little point in anonymising the connection. In fact, using Tor or similar services could mean directing your sensitive traffic through 'enemy' computers that are on the lookout for cleartext data such as POP3 passwords, FTP logins and Telnet sessions. It's worth remembering that it's not always a good idea to anonymise your web connection.